From e9baddfd6b3e2124373ed225f1b5df1b279455a8 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 15 Jun 2015 11:05:04 -0700 Subject: [PATCH 001/147] add a file analyzer to parse ocsp request and response add two events: ocsp_request and ocsp_response --- scripts/base/files/ocsp/README | 1 + scripts/base/files/ocsp/__load__.bro | 1 + scripts/base/files/ocsp/main.bro | 11 + scripts/base/init-bare.bro | 44 ++ scripts/base/init-default.bro | 1 + src/SerialTypes.h | 2 + src/Type.h | 2 + src/file_analysis/analyzer/CMakeLists.txt | 1 + .../analyzer/ocsp/CMakeLists.txt | 10 + src/file_analysis/analyzer/ocsp/OCSP.cc | 637 ++++++++++++++++++ src/file_analysis/analyzer/ocsp/OCSP.h | 66 ++ src/file_analysis/analyzer/ocsp/Plugin.cc | 25 + src/file_analysis/analyzer/ocsp/events.bif | 23 + src/file_analysis/analyzer/ocsp/types.bif | 4 + src/main.cc | 6 +- 15 files changed, 833 insertions(+), 1 deletion(-) create mode 100644 scripts/base/files/ocsp/README create mode 100644 scripts/base/files/ocsp/__load__.bro create mode 100644 scripts/base/files/ocsp/main.bro create mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.cc create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.h create mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc create mode 100644 src/file_analysis/analyzer/ocsp/events.bif create mode 100644 src/file_analysis/analyzer/ocsp/types.bif diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README new file mode 100644 index 0000000000..beabe8a3fc --- /dev/null +++ b/scripts/base/files/ocsp/README @@ -0,0 +1 @@ +Support for ocsp file analysis framework. diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/files/ocsp/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro new file mode 100644 index 0000000000..1b3dfdeffc --- /dev/null +++ b/scripts/base/files/ocsp/main.bro @@ -0,0 +1,11 @@ +@load base/frameworks/files +@load base/utils/paths + +module FileOCSP; + +export { + ## add one more argument to indicate is ocsp response or request + redef record Files::AnalyzerArgs += { + ocsp_type: string &optional; + }; +} diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 23f4fd43dd..fdc05f2df4 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2927,6 +2927,50 @@ export { }; } + +module OCSP; +export { + type OneReq: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + #RequestExtensions: xxx + }; + type Request: record { + version: count &log &optional; + requestorName: string &log &optional; + requestList: vector of OneReq; + #requestExtensions: xxx + }; + type SingleResp: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + certStatus: string &log; + thisUpdate: string &log; + nextUpdate: string &log &optional; + #Extensions: xxx + }; + type Response: record { + responseStatus: string &log; + responseType: string &log; + version: count &log; + responderID: string &log; + producedAt: string &log; + responses: vector of SingleResp; + #responseExtensions:xxx + signatureAlgorithm: string &log; + signature: string; #&log; + }; + } + +module GLOBAL; +type ocsp_req_vec: vector of OCSP::OneReq; +type ocsp_resp_vec: vector of OCSP::SingleResp; + + module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 473d94fc84..61cd41a189 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -65,6 +65,7 @@ @load base/files/extract @load base/files/unified2 @load base/files/x509 +@load base/files/ocsp @load base/misc/find-checksum-offloading @load base/misc/find-filtered-trace diff --git a/src/SerialTypes.h b/src/SerialTypes.h index cf2c52a08b..6b81227464 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -115,6 +115,8 @@ SERIAL_VAL(CARDINALITY_VAL, 22) SERIAL_VAL(X509_VAL, 23) SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24) SERIAL_VAL(COMM_DATA_VAL, 25) +SERIAL_VAL(OCSP_REQ_VAL, 26) +SERIAL_VAL(OCSP_RESP_VAL, 27) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) diff --git a/src/Type.h b/src/Type.h index f902b0d907..3f886f55dc 100644 --- a/src/Type.h +++ b/src/Type.h @@ -627,6 +627,8 @@ extern OpaqueType* cardinality_type; extern OpaqueType* topk_type; extern OpaqueType* bloomfilter_type; extern OpaqueType* x509_opaque_type; +extern OpaqueType* ocsp_req_opaque_type; +extern OpaqueType* ocsp_resp_opaque_type; // Returns the Bro basic (non-parameterized) type with the given type. // The reference count of the type is not increased. diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index 225504c56a..bd5428a49e 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -4,3 +4,4 @@ add_subdirectory(hash) add_subdirectory(pe) add_subdirectory(unified2) add_subdirectory(x509) +add_subdirectory(ocsp) \ No newline at end of file diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt new file mode 100644 index 0000000000..d1cff9d157 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro OCSP) +bro_plugin_cc(OCSP.cc Plugin.cc) +bro_plugin_bif(events.bif types.bif) +bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc new file mode 100644 index 0000000000..08df3e4ce6 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -0,0 +1,637 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include + +#include "OCSP.h" +#include "Event.h" + +#include "events.bif.h" +#include "types.bif.h" + +#include "file_analysis/Manager.h" + +#include +#include +#include +#include + +using namespace file_analysis; + +IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); +IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); + +#define OCSP_STRING_BUF_SIZE 2048 + +//this function is copied from src/file_analysis/analyzer/extract/Extract.cc +static Val* get_extract_field_val(RecordVal* args, const char* name) + { + Val* rval = args->Lookup(name); + if ( ! rval ) + reporter->Error("File extraction analyzer missing arg field: %s", name); + return rval; + } + +//convert different ANS1 type to c string +static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) + { + if (data == NULL || buf == NULL || buf_len <=0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + + if (type == V_ASN1_OCTET_STRING) + { + if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0) + goto err; + } + else if (type == V_ASN1_BIT_STRING) + { + if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0) + goto err; + } + else if (type == V_ASN1_INTEGER) + { + if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) + goto err; + } + else if (type == V_ASN1_OBJECT) + { + if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0) + goto err; + } + else if (type == V_ASN1_GENERALIZEDTIME) + { + // TODO: convert ASN1_GENERALIZEDTIME to epoch time? + // new API: ASN1_TIME_diff() requires openssl 1.0.2 + // epoch time might be better for post processing + + // NOTE: this is for human readable time format + //if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data)) + // goto err; + + // NOTE: this is printing the raw string which is also understandable + // since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now? + ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data; + BIO_write(bio, tmp->data, tmp->length); + } + + else + goto err; + + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//ANS1 OCTET string to c string +static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING); + } + +//ANS1 BIT string to c string +static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING); + } + +//ANS1 integer to c string +static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER); + } + +//ANS1 object to c string +static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT); + } + +//ASN1_GENERALIZEDTIME to c string +static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data) + { + return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME); + } + +//CENERAL XXX to c string +static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data) + { + if (data == NULL || buf == NULL || buf_len <= 0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0) + goto err; + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//OCSP respond id to c string +static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id) + { + if (resp_id == NULL || buf == NULL || buf_len <= 0) + return -1; + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + memset(buf, 0, buf_len); + if (resp_id->type == V_OCSP_RESPID_NAME) + { + if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0) + goto err; + } + else if (resp_id->type == V_OCSP_RESPID_KEY) + { + if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0) + goto err; + } + else + goto err; + new_len = BIO_read(bio, buf, buf_len); +err: + BIO_free_all(bio); + return new_len; + } + +//print out a cert id for debug +static void ocsp_print_cert_id(OCSP_CERTID *cid) + { + if (cid == NULL) + return; + char buf[OCSP_STRING_BUF_SIZE]; + int len = sizeof(buf); + memset(buf, 0, len); + int new_len = -1; + + //print hashAlgorithm + new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm)); + StringVal hashAlgorithm = StringVal(new_len, buf); + printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString()); + + //print issuerNameHash + new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash)); + StringVal issuerNameHash = StringVal(new_len, buf); + printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString()); + + //print issuerKeyHash + new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + StringVal issuerKeyHash = StringVal(new_len, buf); + printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); + + //print serialNumber + new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + StringVal serialNumber = StringVal(new_len, buf); + printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); + } + +//fill in cert id +static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) + { + if (d == NULL || cert_id == NULL) + return; + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + //hashAlgorithm + int len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm)); + if (len > 0) + d->Assign(0, new StringVal(len, buf)); + + //issuerNameHash + len = -1; + len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash)); + if (len > 0) + d->Assign(1, new StringVal(len, buf)); + + //issuerKeyHash + len = -1; + len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + if (len > 0) + d->Assign(2, new StringVal(len, buf)); + + //serialNumber + len = -1; + len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + if (len > 0) + d->Assign(3, new StringVal(len, buf)); + } + +file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) + { + Val* ocsp_type = get_extract_field_val(args, "ocsp_type"); + if (! ocsp_type ) + return 0; + return new OCSP(args, file, ocsp_type->AsString()->CheckString()); + } + +file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type) + : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file) + { + ocsp_type = arg_ocsp_type; + ocsp_data.clear(); + } + +bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len) + { + ocsp_data.append(reinterpret_cast(data), len); + return true; + } + +bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len) + { + return false; + } + +// parse OCSP request or response and send data to bro scriptland +bool file_analysis::OCSP::EndOfFile() + { + OCSP_REQUEST *req = NULL; + OCSP_RESPONSE *resp = NULL; + + const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); + + if (ocsp_type == "request") + { + req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + if (!req) + { + reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + goto ocsp_cleanup; + } + + //parse request into record + OCSP_REQVal* req_val = new OCSP_REQVal(req); + RecordVal* req_record = ParseRequest(req_val); + if (!req_record) + { + reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + Unref(req_val); + goto ocsp_cleanup; + } + + // and send the record on to scriptland + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(req_val->Ref()); + vl->append(req_record->Ref()); + mgr.QueueEvent(ocsp_request, vl); + + Unref(req_val); + Unref(req_record); + } + else if (ocsp_type == "response") + { + resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); + if (!resp) + { + reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + goto ocsp_cleanup; + } + + //parse request into record + OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); + RecordVal* resp_record = ParseResponse(resp_val); + if (!resp_record) + { + reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + Unref(resp_val); + goto ocsp_cleanup; + } + + // and send the record on to scriptland + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(resp_val->Ref()); + vl->append(resp_record->Ref()); + mgr.QueueEvent(ocsp_response, vl); + + Unref(resp_val); + Unref(resp_record); + } + else + reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); +ocsp_cleanup: + //if (resp) + // OCSP_RESPONSE_free(resp); + //if (req) + // OCSP_REQUEST_free(req); + return false; +} + +// parse OCSP request and trigger event +RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) + { + if (req_val == NULL) + return NULL; + OCSP_REQUEST *req = NULL; + OCSP_ONEREQ *one_req = NULL; + OCSP_CERTID *cert_id = NULL; + OCSP_REQINFO *inf = NULL; + //OCSP_SIGNATURE *sig = NULL; + + RecordVal* ocsp_req_record = NULL; + VectorVal* all_req_bro = NULL; + + int req_count = -1, i = -1, len = -1; + long version = -1; + + req = req_val->GetReq(); + if (req == NULL) + return NULL; + + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + inf = req->tbsRequest; + //sig = req->optionalSignature; + if (inf == NULL) + return NULL; + + ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); + if (!ocsp_req_record) + { + reporter->Error("Cannot create OCSP request structure: Internal memory error"); + return NULL; + } + + //version + version = ASN1_INTEGER_get(inf->version); + if (version != -1) + ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT)); + + //requestorName + if (inf->requestorName != NULL) + { + len = -1; + len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); + if (len > 1) + ocsp_req_record->Assign(1, new StringVal(len, buf)); + } + + //deal with details of the request + req_count = OCSP_request_onereq_count(req); + if (req_count <= 0) + goto clean_up; + for (i=0; iAsVectorType()); + RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); + + ocsp_fill_cert_id(cert_id, one_req_bro); + all_req_bro->Assign(all_req_bro->Size(), one_req_bro); + } + + if (all_req_bro != NULL) + ocsp_req_record->Assign(2, all_req_bro); +clean_up: + return ocsp_req_record; +} + +// parse OCSP response and trigger event +RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) + { + if (resp_val == NULL) + return NULL; + + OCSP_RESPONSE *resp = NULL; + OCSP_RESPBYTES *resp_bytes = NULL; + OCSP_CERTID *cert_id = NULL; + OCSP_BASICRESP *basic_resp = NULL; + OCSP_RESPDATA *resp_data = NULL; + OCSP_RESPID *resp_id = NULL; + OCSP_SINGLERESP *single_resp = NULL; + + //OCSP_CERTSTATUS *cst = NULL; + //OCSP_REVOKEDINFO *rev = NULL; + + RecordVal *ocsp_resp_record = NULL; + VectorVal *all_resp_bro = NULL; + + int resp_count = -1, status = -1, i = -1, len = -1; + long version = -1; + + resp = resp_val->GetResp(); + if (resp == NULL) + return NULL; + + char buf[OCSP_STRING_BUF_SIZE]; + int buf_len = sizeof(buf); + memset(buf, 0, buf_len); + + ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); + if (!ocsp_resp_record) + { + reporter->Error("Cannot create OCSP response structure: Internal memory error"); + return NULL; + } + + //responseStatus + status = OCSP_response_status(resp); + const char *status_str = OCSP_response_status_str(status); + ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + + //responseType + resp_bytes = resp->responseBytes; + if (!resp_bytes) + goto clean_up; + len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType)); + if (len > 0) + ocsp_resp_record->Assign(1, new StringVal(len, buf)); + + //get the basic response + basic_resp = OCSP_response_get1_basic(resp); + if (!basic_resp) + goto clean_up; + resp_data = basic_resp->tbsResponseData; + if (!resp_data) + goto clean_up; + + //version + version = ASN1_INTEGER_get(resp_data->version); + if (version != -1) + ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT)); + + //responderID + resp_id = resp_data->responderId; + len = -1; + len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id); + if (len > 0) + ocsp_resp_record->Assign(3, new StringVal(len, buf)); + + //producedAt + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt)); + if (len > 0) + ocsp_resp_record->Assign(4, new StringVal(len, buf)); + + //responses + resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); + if (resp_count <= 0) + goto clean_up; + for (i=0; iresponses, i); + if (!single_resp) + continue; + if (all_resp_bro == NULL) + all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); + RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp); + + //cert id + cert_id = single_resp->certId; + ocsp_fill_cert_id(cert_id, single_resp_bro); + + //certStatus + const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); + single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + + //thisUpdate + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate)); + if (len > 0) + single_resp_bro->Assign(5, new StringVal(len, buf)); + + //nextUpdate + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate)); + if (len > 0) + single_resp_bro->Assign(6, new StringVal(len, buf)); + + all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro); + } + if (all_resp_bro != NULL) + ocsp_resp_record->Assign(5, all_resp_bro); + + //signatureAlgorithm + if (basic_resp->signatureAlgorithm) + { + len = -1; + len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm)); + if (len > 0) + ocsp_resp_record->Assign(6, new StringVal(len, buf)); + } + //signature + if (basic_resp->signature) + { + len = -1; + len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature)); + if (len > 0) + ocsp_resp_record->Assign(7, new StringVal(len, buf)); + } +clean_up: + return ocsp_resp_record; +} + +//OCSP_REQVal +OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) + { + ocsp_req = arg_ocsp_req; + } + +OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) + { + ocsp_req = NULL; + } + +OCSP_REQVal::~OCSP_REQVal() + { + if (ocsp_req) + OCSP_REQUEST_free(ocsp_req); + } + +OCSP_REQUEST* OCSP_REQVal::GetReq() const + { + return ocsp_req; + } + +bool OCSP_REQVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); + unsigned char *buf = NULL; + int length = i2d_OCSP_REQUEST(ocsp_req, &buf); + if ( length < 0 ) + return false; + bool res = SERIALIZE_STR(reinterpret_cast(buf), length); + OPENSSL_free(buf); + return res; + } + +bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal) + + int length; + unsigned char *ocsp_req_buf, *opensslbuf; + + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) + return false; + opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. + ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast(&opensslbuf), length); + delete[] ocsp_req_buf; + if ( !ocsp_req ) + return false; + return true; + } + + +//OCSP_RESPVal +OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) + { + ocsp_resp = arg_ocsp_resp; + } + +OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type) + { + ocsp_resp = NULL; + } + +OCSP_RESPVal::~OCSP_RESPVal() + { + if (ocsp_resp) + OCSP_RESPONSE_free(ocsp_resp); + } + +OCSP_RESPONSE* OCSP_RESPVal::GetResp() const + { + return ocsp_resp; + } + +bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal); + unsigned char *buf = NULL; + int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf); + if ( length < 0 ) + return false; + bool res = SERIALIZE_STR(reinterpret_cast(buf), length); + OPENSSL_free(buf); + return res; + } + +bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal) + + int length; + unsigned char *ocsp_resp_buf, *opensslbuf; + + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_resp_buf), &length) ) + return false; + opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really. + ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast(&opensslbuf), length); + delete[] ocsp_resp_buf; + if ( !ocsp_resp ) + return false; + return true; + } diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/ocsp/OCSP.h new file mode 100644 index 0000000000..ecdba6582d --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/OCSP.h @@ -0,0 +1,66 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef FILE_ANALYSIS_OCSP_H +#define FILE_ANALYSIS_OCSP_H + +#include + +#include "Val.h" +#include "../File.h" +#include "Analyzer.h" + +#include +#include +#include + +namespace file_analysis { + +class OCSP_REQVal; +class OCSP_RESPVal; + +class OCSP : public file_analysis::Analyzer { +public: + virtual bool DeliverStream(const u_char* data, uint64 len); + virtual bool Undelivered(uint64 offset, uint64 len); + virtual bool EndOfFile(); + + static RecordVal *ParseResponse(OCSP_RESPVal *); + static RecordVal *ParseRequest(OCSP_REQVal *); + + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); + +protected: + OCSP(RecordVal* args, File* file, const string& ocsp_type); + +private: + std::string ocsp_data; + std::string ocsp_type; +}; + +class OCSP_REQVal: public OpaqueVal { +public: + explicit OCSP_REQVal(OCSP_REQUEST *); + ~OCSP_REQVal(); + OCSP_REQUEST *GetReq() const; +protected: + OCSP_REQVal(); +private: + OCSP_REQUEST *ocsp_req; + DECLARE_SERIAL(OCSP_REQVal); +}; + +class OCSP_RESPVal: public OpaqueVal { +public: + explicit OCSP_RESPVal(OCSP_RESPONSE *); + ~OCSP_RESPVal(); + OCSP_RESPONSE *GetResp() const; +protected: + OCSP_RESPVal(); +private: + OCSP_RESPONSE *ocsp_resp; + DECLARE_SERIAL(OCSP_RESPVal); +}; + +} + +#endif diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc new file mode 100644 index 0000000000..f7edbd1d6d --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/Plugin.cc @@ -0,0 +1,25 @@ +// See the file in the main distribution directory for copyright. + + +#include "plugin/Plugin.h" + +#include "OCSP.h" + +namespace plugin { +namespace Bro_OCSP { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::OCSP"; + config.description = "OCSP analyzer"; + return config; + } +} plugin; + +} +} diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/ocsp/events.bif new file mode 100644 index 0000000000..b956e2c12e --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/events.bif @@ -0,0 +1,23 @@ +## Generated for encountered OCSP request +## +## +## f: The file. +## +## req_ref: An opaque pointer to the underlying OpenSSL data structure of the +## OCSP request +## +## req: The parsed OCSP request information. +## +event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%); + +## Generated for encountered OCSP response +## +## +## f: The file. +## +## req_ref: An opaque pointer to the underlying OpenSSL data structure of the +## OCSP response +## +## req: The parsed OCSP response information. +## +event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%); diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif new file mode 100644 index 0000000000..e005f1274e --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/types.bif @@ -0,0 +1,4 @@ +type OCSP::Request: record; +type OCSP::Response: record; +type OCSP::OneReq: record; +type OCSP::SingleResp: record; \ No newline at end of file diff --git a/src/main.cc b/src/main.cc index 61cc35f198..be38f6ca39 100644 --- a/src/main.cc +++ b/src/main.cc @@ -131,6 +131,8 @@ OpaqueType* cardinality_type = 0; OpaqueType* topk_type = 0; OpaqueType* bloomfilter_type = 0; OpaqueType* x509_opaque_type = 0; +OpaqueType* ocsp_req_opaque_type = 0; +OpaqueType* ocsp_resp_opaque_type = 0; // Keep copy of command line int bro_argc; @@ -873,7 +875,9 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - + ocsp_req_opaque_type = new OpaqueType("ocsp_req"); + ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); + // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is From d84d1d24e80e14d29bad8217261a1a4e1979d883 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 17 Jun 2015 19:18:37 -0700 Subject: [PATCH 002/147] add ocsp logging --- scripts/base/files/ocsp/main.bro | 233 +++++++++++++++++++++- scripts/base/init-bare.bro | 10 +- src/file_analysis/analyzer/ocsp/types.bif | 3 +- 3 files changed, 241 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1b3dfdeffc..a6b91529ba 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -1,11 +1,240 @@ @load base/frameworks/files @load base/utils/paths +@load base/utils/queue -module FileOCSP; +module OCSP; export { - ## add one more argument to indicate is ocsp response or request + ## add one more argument to tell ocsp response or request redef record Files::AnalyzerArgs += { ocsp_type: string &optional; }; + + ## ocsp logging + redef enum Log::ID += { LOG }; + + ## tyep for pending ocsp request + type PendingRequests: table[OCSP::CertId] of Queue::Queue; + + ## NOTE: one file could contain several requests + ## one ocsp request record + type Info_req: record { + ## time for the request + ts: time; + ## file id for this request + id: string &log; + ## version + version: count &log &optional; + ## requestor name + requestorName: string &log &optional; + ## NOTE: the above are for one file which may constain + ## several ocsp requests + ## request cert id + certId: OCSP::CertId &log &optional; + }; + + ## NOTE: one file could contain several response + ## one ocsp response record + type Info_resp: record { + ## time for the response + ts: time; + ## file id for this response + id: string &log; + ## responseStatus (different from cert status?) + responseStatus: string &log; + ## responseType + responseType: string &log; + ## version + version: count &log; + ## responderID + responderID: string &log; + ## producedAt + producedAt: string &log; + + ## NOTE: the following are specific to one cert id + ## the above are for one file which may contain + ## several responses + + ## certStatus (this is the response to look at) + certStatus: string &log &optional; + ## thisUpdate + thisUpdate: string &log &optional; + ## nextUpdate + nextUpdate: string &log &optional; + }; + + type Info: record { + ## timestamp for request if both request is present + ## OR timestamp for response if request is not found + ts: time &log; + req: Info_req &log &optional; + resp: Info_resp &log &optional; + }; + + ## Event for accessing logged OCSP records. + global log_ocsp: event(rec: Info); } + +redef record connection += { + ## keep track of pending requests received so for + ocsp_requests: PendingRequests &optional; + }; + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + } + +function get_http_info(f: fa_file, meta: fa_metadata) + { + if (f$source != "HTTP" || !meta?$mime_type) + return; + + # call OCSP file analyzer + if (meta$mime_type == "application/ocsp-request") + Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); + else if (meta$mime_type == "application/ocsp-response") + Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); + } + +event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 + { + if (f$source == "HTTP") + get_http_info(f, meta); + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 + { + local conn: connection; + local cid: conn_id; + + # there should be only one loop: one connection + for (id in f$conns) + { + cid = id; + conn = f$conns[id]; + } + + if (req?$requestList) + { + for (x in req$requestList) + { + local one_req = req$requestList[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + if (!conn?$ocsp_requests) + conn$ocsp_requests = table(); + + if (cert_id !in conn$ocsp_requests) + conn$ocsp_requests[cert_id] = Queue::init(); + + Queue::put(conn$ocsp_requests[cert_id], req_rec); + } + } + else + { + # no request content? this is weird but log it anyway + local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id]; + if (req?$version) + req_rec_empty$version = req$version; + if (req?$requestorName) + req_rec_empty$requestorName = req$requestorName; + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]); + } + } + +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 + { + local conn: connection; + local cid: conn_id; + + # there should be only one loop + for (id in f$conns) + { + cid = id; + conn = f$conns[id]; + } + + if (resp?$responses) + { + for (x in resp$responses) + { + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + + if (cert_id in conn$ocsp_requests) + { + # find a match + local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); + Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]); + if (Queue::len(conn$ocsp_requests[cert_id]) == 0) + delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? + } + else + { + # do not find a match; this is weird but log it + Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]); + } + } + } + else + { + # no response content? this is weird but log it anyway + local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt]; + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]); + } + } + +function log_unmatched_msgs_queue(q: Queue::Queue) + { + local reqs: vector of Info_req; + Queue::get_vector(q, reqs); + + for ( i in reqs ) + Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]); + } + +function log_unmatched_msgs(msgs: PendingRequests) + { + for ( cert_id in msgs ) + log_unmatched_msgs_queue(msgs[cert_id]); + + clear_table(msgs); + } + +# need to log unmatched ocsp request if any +event connection_state_remove(c: connection) &priority= -5 + { + if (! c?$ocsp_requests) + return; + log_unmatched_msgs(c$ocsp_requests); + } diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index fdc05f2df4..a1dfe2ee06 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2961,8 +2961,14 @@ export { producedAt: string &log; responses: vector of SingleResp; #responseExtensions:xxx - signatureAlgorithm: string &log; - signature: string; #&log; + signatureAlgorithm: string &log &optional; + signature: string &optional; #&log; + }; + type CertId: record { + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; }; } diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif index e005f1274e..8d8cb5dd9b 100644 --- a/src/file_analysis/analyzer/ocsp/types.bif +++ b/src/file_analysis/analyzer/ocsp/types.bif @@ -1,4 +1,5 @@ type OCSP::Request: record; type OCSP::Response: record; type OCSP::OneReq: record; -type OCSP::SingleResp: record; \ No newline at end of file +type OCSP::SingleResp: record; +type OCSP::CertId: record; From d1c568663ca58808e8d7b9a104efe094de121c74 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 19 Jun 2015 09:37:10 -0700 Subject: [PATCH 003/147] add btest and fix bug --- scripts/base/files/ocsp/main.bro | 19 ++++++++++-------- src/file_analysis/analyzer/ocsp/OCSP.cc | 8 +++++--- .../ocsp.log | 10 +++++++++ .../ocsp.log | 10 +++++++++ .../ocsp.log | 10 +++++++++ .../btest/Traces/tls/ocsp-request-only.pcap | Bin 0 -> 1207 bytes .../Traces/tls/ocsp-request-response.pcap | Bin 0 -> 3565 bytes .../btest/Traces/tls/ocsp-response-only.pcap | Bin 0 -> 3054 bytes .../base/protocols/ssl/ocsp-request-only.test | 4 ++++ .../protocols/ssl/ocsp-request-response.test | 4 ++++ .../protocols/ssl/ocsp-response-only.test | 4 ++++ 11 files changed, 58 insertions(+), 11 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-request-only.pcap create mode 100644 testing/btest/Traces/tls/ocsp-request-response.pcap create mode 100644 testing/btest/Traces/tls/ocsp-response-only.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index a6b91529ba..7417c6f6fb 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -30,7 +30,7 @@ export { ## NOTE: the above are for one file which may constain ## several ocsp requests ## request cert id - certId: OCSP::CertId &log &optional; + certId: OCSP::CertId &optional; }; ## NOTE: one file could contain several response @@ -54,7 +54,8 @@ export { ## NOTE: the following are specific to one cert id ## the above are for one file which may contain ## several responses - + ##cert id + certId: OCSP::CertId &optional; ## certStatus (this is the response to look at) certStatus: string &log &optional; ## thisUpdate @@ -67,8 +68,9 @@ export { ## timestamp for request if both request is present ## OR timestamp for response if request is not found ts: time &log; - req: Info_req &log &optional; - resp: Info_resp &log &optional; + certId: OCSP::CertId &log &optional; + req: Info_req &log &optional; + resp: Info_resp &log &optional; }; ## Event for accessing logged OCSP records. @@ -181,23 +183,24 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt, + $certId = cert_id, $certStatus = single_resp$certStatus, $thisUpdate = single_resp$thisUpdate]; if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - if (cert_id in conn$ocsp_requests) + if (conn?$ocsp_requests && cert_id in conn$ocsp_requests) { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]); } } } @@ -220,7 +223,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue) Queue::get_vector(q, reqs); for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]); + Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]); } function log_unmatched_msgs(msgs: PendingRequests) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index 08df3e4ce6..ea90967cfc 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -52,6 +52,8 @@ static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) } else if (type == V_ASN1_INTEGER) { + // NOTE: this will print the hex number + // wireshark may display decimal number if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) goto err; } @@ -183,7 +185,7 @@ static void ocsp_print_cert_id(OCSP_CERTID *cid) printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); //print serialNumber - new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); + new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber)); StringVal serialNumber = StringVal(new_len, buf); printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); } @@ -217,7 +219,7 @@ static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) //serialNumber len = -1; - len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); + len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber)); if (len > 0) d->Assign(3, new StringVal(len, buf)); } @@ -387,7 +389,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); - ocsp_fill_cert_id(cert_id, one_req_bro); + ocsp_fill_cert_id(cert_id, one_req_bro); all_req_bro->Assign(all_req_bro->Size(), one_req_bro); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log new file mode 100644 index 0000000000..9881f143c1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-33 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - +#close 2015-06-19-16-32-33 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log new file mode 100644 index 0000000000..b21cadda9a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-23 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-06-19-16-32-23 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log new file mode 100644 index 0000000000..f5a5c43c7c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-06-19-16-32-39 +#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time string string string string string count string string string string count string string string string string +1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-06-19-16-32-39 diff --git a/testing/btest/Traces/tls/ocsp-request-only.pcap b/testing/btest/Traces/tls/ocsp-request-only.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1d4e85da0796981c6b52571c94741d32a9dd0f0f GIT binary patch literal 1207 zcmZvcQAiVU9LN8gbFPckW)=}8M-OSb?QVISYpa+pb%f=}EleS~ZvV||x4UyY$CMsM zg7i>5_0*FEq6M{@;!6Zk1ZL?&7(Hi6M2Nj4Q7`@fH{9jiaew&V@Bia-pZov6+{)|1 zeLXM$?J@uzdXT%uBOfCGoI`Uwz_FX(Zr`{i_b*tln?MHurvgv>z;9f+`f|pY3{KZ> zOw@x=W9t(JH&5zQmZ3KQ=nd6#2EB;@#QHs4*Hu;3VDhhmMlLdo{300uKX4iwteA@F zAT&|GIK6%i(Or|Z2PVlijeIF{cOKKX$X8|oXh(0tV}~;n$g9qLnX?Pg6FCc5gJI;T zQ+*4Vj9uI20N6lVf=4+~_c`zs6F)q!NIVGEh_UU&P)~1|q{v`69HN{Kr$`OJlqsu$0R|lZ|~&r;qG}Q7Ogx$ZlR7$&y)* zd(h4J$W+GL;&IT&$u7txBZ?~vMlf% ztMHOYWpSlBTV72HzTwlfOjt7qzWZ1>E?7UqJX z&j0E~!=3lcIQ^jI(_dls=bSCKtgkU0p0F=GdW(<$&t6?AP&=Z^j85UGK2DcKHPP6b zUqyj(N6!?GABAZd#k7Elt92T&JWzlMJX0eY-yW#^>f-cfPtKw<^-HBdy~9*Y?Axyq zD>%-mj`DWL%^ua!3fu#icRGS28nJ?7L3NB(a179KWM|T>1x>LwBP9 literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/ocsp-request-response.pcap b/testing/btest/Traces/tls/ocsp-request-response.pcap new file mode 100644 index 0000000000000000000000000000000000000000..77306ea1902a40af35750385c92707a79227a672 GIT binary patch literal 3565 zcmc(idsGuw9>-^r5Fi)ee?^Q528V>T35+C=b!@p0oSM=H#9;_jm7n z<~#TIojbp2I#|1wg>kU%9|yxx#}+>)_4`x|8;g#ah7FtF{Fl;2w#i3)XL(?881{~O zYcv+kZOUq>;pQf6=+{~vh-pG1w#t~vRV=%Y>2Dau;<(juSROo#cW(s~$JuOmhWxm; zo7}T0D-K2C#Bks~$%a9qZsyYm7MN7i8-bDPWdOJfrv*)$M0PH5O z=w+fNMXLj1kf76P#6%du=Oxe%rxMV5hb=6dHjoBGVVIuIHLm~^DCAS+vPfXhS4tIOa5#vk^f|Ox0ttxz1Q=ts zQ%1T#%nb5*D!rbvA*z!qaEeXNT#Jyj*(_!~=`_<;aRCzvE$AK1wM0&jf?*?tBg7+I zM~Y66D2cRY=aJcz5>QrAs#Zu@T@%8)Cd66ww83o6R)XvzvrPyLl+i*uDLzk4Tb<|z zMM;!3+i6mQ2w8VbS7<}Tp30at64|Ngd6dKHnrEf-jASLqp(vY(w3zb|lh1<*a14xv zF)$i>a@|7vvRMP%Fi!tn9{j16ocz0j8;bQ$j9xVpq_Xjx{?P~OgDVPSB_(@A90 zT85a}AIFAyA}^uVo9G!(Sj`aERlJrMfXPF5y-e(M5|BU$QpWLlv1n4MPqTp`HKb2w4X@==2!)=Ik2FHUK#nw$ zP%1G*D2$SDD4~opV|chhFPAEU_&kkNqXcSAR8V598pLWfK%FuHB&j9>b?OA5icJQw zacMxON(36M3bj~}n5IH479=EUK?<6qRV4#WY79tb@JRGYk<+h^3yIjvuF7D>$4so1Q%Dsd_7huV+ zYl~n3;f0LPPUUa~tW+)G1N$-^4}rVNZZ4v&Bq4ylOvGKl)9Pub(_tVj6!8WWFhQQ6 zPdpvVY(pT?st+SV;czC*76ir9pd+5vkxcaD0ac#UMBB~ILLdV1k^pbUX;4lmBoZi< z$|l42py_{q3X8EXET`t6xlN8t&<4L9z6Qp71gljgT`$(!Wy%_FHN6R+rZ zmMvacG0)F=$^SH|Wj9}gNAOCHDdq42@oZkjbkm*2wZSV!JNuu{KNq<3!KlR=(;)xd z4c`n|G?6`16PvN|%z+iFXBJt)-CM_ICVw+2r6J`e@ode=aO=^U$7wUQ$#q z*TF!4K60Iuki!Uwev?sG-lO~fdmdmZ9@KM{Jg$Z)$eg+%SSDn)x&wG8bVs{>lU><{OH`HP2Q7KqVYeJ z)ZfY>z?`M6&)mrDgKZauvYMos_Y>FgO>yJ0&Nq#lxBl7T{Ral$4!L`MZbW6<={DQR zl-<5ZC#^m(mDSK*`TePrs}$Q}u6XBU$d;BJd9>(jH>`Pn8&$VFK+OAKWAl_o?TvL2 zs-0O+>6ktNnSq~`HF@rl4E3I+_uW{mI=<KTdzo zl)JoDkN5QpXf_U5dWKqAX|G%by}NfyHx3JVJ&D1+&546*sHz%W6;&SDX;8c6kL;O? z-d&Xa_bN?db~y4-Q4^-OTi{rR1~`ZXM{~WVl_%ik&vS8ie;oNStWzZm_Y3;Z7wKsj z^iaC?v4w)OSkTbg;OgC0=|5M75$=tNH|pcRuuhmXx3K!fzAa1DhWpBKPcNje9N3V! z#HRYiHszpU?&X$yi=z}_OAB`l@!#C?u=PpXSg%b(f{)BTnt$r}0^@>VS$i%YI`?A! z2N*p)Bl31s_VYe>R}Q|!vt`b>nB7!8d&#j`_dd=2ZF0J2%XgTxt+8FWsJ#m_$yi-n<^B?EQ4 zyw_)q`n3N25@IM*HC;nh)4wU~zj77!*)Nyj+pZnk(4JE4gL_P-yUOt6OfAL`C%w^4 z>|KXpvceiyWoLW24r@Uy4I!9_!^CxVqc^&r%U6B kPK`bV-Ne^u{L-b7?xhiZhHbmfRG%3^T^etr>hr|E0KMCyO8@`> literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/ocsp-response-only.pcap b/testing/btest/Traces/tls/ocsp-response-only.pcap new file mode 100644 index 0000000000000000000000000000000000000000..63fbdde25a3589aa5aef7fa96eec83ca7978aa94 GIT binary patch literal 3054 zcmc(hdsGuw9>-^r5JE5p2nDKzj;sjE>rN5^#-fBk0p*dJfFi6qB!Q%aOqv7~lok;2 zQ5Rd0)`}jXRiKJuQCVAyBDxh7(N(I}>ek|eDldg2wYu89laz<(?w+&%?3{DYnftrH z`P}c^`QAIfjuQ=4G=zbSUJL|<9YfTr#P1UkWG=j?8ZvEd*I$Y@7#6iUu4EyR2=bP6 zUl_}^_WoAX!IQ5r!ATpoeeL^a^l4f+!{0%{944Z=t8jFpvd$&??luoy$$d4LE z$yTP7ZzUs07=kms9VseBM`R@)XKH%ih4i3GCznd>&L}x4XLBP(A0{t8fFR*;CaS%p zStzZyXx5I?90ci^1rEp^wE}8HEqWU$GNtti7abwKq*a)^i_*H+G)`-#PjG!FB#KnC ztwcy`hdLW5VyZKWOtXXXU>i@gbIYx!h&xMPNpwR*zKt&uqZJBSARd5Yd;qY7c^q~G zVOEPVg(lk%!$YvS*?KsF2Vs1^SRfShg;-Rag2R@pjX7$g7?T(XrAEzROG&+1tvCBC zjD+5lt~UBd>XoEQtIrT);aWXm%!MgbrazTvBz0mei&*YYWT-=NJ}waP{V+pznog_q z!}O%T*#aSrS$oROb*ntqSVmuww}rh=b^Kty=YJnLq%QT4hEqH)xG&lNgf| zWQX~lR zzbL5gZOqLjq#YRS9iSaS;`8X_Il7z_>5{MsO&seoS!>kcwcyNfw64k4fW-X}~ zV@e%q8oThh2Kdzog8?ogL1hGzN|OODoykDzsYDJN6fuX`C{kI(?1#7AOgmpDYGY#y zP?S-`ybeQGLE&#zd0;ti5A2xqLGuFPKh+={(OU60^pWtRE9<#3b2f4QbSxb1{D` zitomyoCZXA2%irG0^uU?F3^B5D8|NjBAqtL24OfivN%h0nK|9O+abFir`y-g7YO4S z&S5Q0-lc8ARp4{Mm8ZG`4-Wbjw9{-^Z~x7($%o>Wzzn4(h6ytsbHo#YRvtfp7p zu1p^IrS|6z*JaOdWqKXG+*r7ID1_BCyKnmbqqQk*VP~fg)^fd-`%{0OjYfMn-|qb+ zk5O_l$>q?d*NL-rGu4k5+*BSa-dIt(#>ITy^#UQMcXfhRw49+yIJGV?pI!Q%=6+k1 z_trUP=PNmvJq|sXy-}udcRk$v&D0GG=qqFqDZ4MWY~8*hPZwm{KQ}e*n}rF@33u?P zJ3eNECHuDg{o})Hw3S7Slc0#v4BNM$h`zIuPD5!lmS1h&gJ|6a4=`rQ>}?QGc<_I6 z&LrSwb&lg7&IwSGaO+#_;}3kPF?-%rjoEAv2L>wDMzbj(gH%x#qY?v+Y6EG~nn`1B zAT9v7)on9I+$L8mvyEy@3ZH{#2HYF!ajpX%t{mt(0WJc;0A7n=S2U*k|Jx6s2=yGh z#;C=XTm;71G|Hc+mXkg$gWTeG-nqXtcHsS0gKg7l914m3Z+C<~x%45UO%*!P-LR)xC{n2u#_#fzPpEvbOoF2{U`KYH( zI-PyK*{8oxv7zVTN0$fpa2HDa<9{e@x|@k(tIGPH+7KBh2Cn%DYhzdR#q8v0BIl)D z>6o`>*V9wSTc+Ie>Atl(xP0KkfT2C%u;b~4+gp~p`kgYfG50>f$=9YxSDicovFBDP=x{PgZT6#bn+1Bm6&a_3S#2A#%i2JY0T z7sCZOGg;PykB*Mq*;$7tGF%wWb_w0=ZI6yQxpk#aD!ZtzC^wdG1KiQm(uP5UUXP`4 zZ!#i*6i6!PRECz!8aAj=_wVeP1^-=Y;~(DTYfYwX_=5~k8g*bUMZ*}71?DjAmzG4M zCC{=@TUQkNF<@9F4R!JS?~{x*4BV8Kb8J2D65{FA;9Y%KFZgFg0B+kBbGs?(3;q0s zt8=TLAKP0dRrQJIJ-M1(F}XQrlR@&UVetvo>Ki@18$&|^%5o1(b*<}p*#CH7uKk{= z-mUqkbIzY#m%eUV+L0S4FF#-V0Ybi)GV5Mw#G`miPO-hbvyo|xofL=5=-2hWNx4e^c*f}7Pu?@ZgCr}>9{=9RrU z!G2bqrtVB(zv6Y}j=e{&f2ETvkMWL^<*~O|M>|{lO6~KKpPrl#KdngY$^A*5@~yw^ zm8Fk`apyvQ`4Qjf=Ud00tZ3x!N}K&@)BA Date: Fri, 19 Jun 2015 15:01:31 -0700 Subject: [PATCH 004/147] add function to get hash of cert issuer name --- scripts/base/files/ocsp/main.bro | 8 +- src/file_analysis/analyzer/x509/functions.bif | 87 +++++++++++++++++++ 2 files changed, 91 insertions(+), 4 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 7417c6f6fb..602f23bcc5 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -13,7 +13,7 @@ export { ## ocsp logging redef enum Log::ID += { LOG }; - ## tyep for pending ocsp request + ## type for pending ocsp request type PendingRequests: table[OCSP::CertId] of Queue::Queue; ## NOTE: one file could contain several requests @@ -27,7 +27,7 @@ export { version: count &log &optional; ## requestor name requestorName: string &log &optional; - ## NOTE: the above are for one file which may constain + ## NOTE: the above are for one file which may contain ## several ocsp requests ## request cert id certId: OCSP::CertId &optional; @@ -65,8 +65,8 @@ export { }; type Info: record { - ## timestamp for request if both request is present - ## OR timestamp for response if request is not found + ## timestamp for request if a corresponding request is present + ## OR timestamp for response if a corresponding request is not found ts: time &log; certId: OCSP::CertId &log &optional; req: Info_req &log &optional; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 216f4c69cc..bb04f27ed8 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -537,3 +537,90 @@ x509_verify_chainerror: return rrecord; %} + +## Get the hash of issuer name of a certificate +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use +## +## Returns: A string of hash of issuer name. +## +## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## x509_ext_subject_alternative_name x509_parse +## x509_get_certificate_string x509_verify +function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string + %{ + assert(cert); + assert(hash_alg); + + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + X509 *cert_x509 = cert_handle->GetCertificate(); + if (cert_x509 == NULL) + { + builtin_error("cannot get cert from opaque"); + return NULL; + } + + X509_NAME *issuer_name = NULL; + StringVal *issuer_name_str = NULL; + issuer_name = X509_get_issuer_name(cert_x509); + if (issuer_name == NULL) + { + builtin_error("fail to get issuer name from certificate"); + return NULL; + } + + const char* h = hash_alg->CheckString(); + if (h == NULL) + { + builtin_error("fail to get hash algorithm from input"); + return NULL; + } + + const EVP_MD *dgst; + if (strcmp(h, "sha1") == 0) + dgst = EVP_sha1(); + else if (strcmp(h, "sha224") == 0) + dgst = EVP_sha224(); + else if (strcmp(h, "sha256") == 0) + dgst = EVP_sha256(); + else if (strcmp(h, "sha384") == 0) + dgst = EVP_sha384(); + else if (strcmp(h, "sha512") == 0) + dgst = EVP_sha512(); + else + { + reporter->Error("Unknown digest!"); + return NULL; + } + if (dgst == NULL) + { + builtin_error("fail to allocate digest"); + return NULL; + } + + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int len = 0; + ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING); + int new_len = -1; + BIO *bio = BIO_new(BIO_s_mem()); + char buf[1024]; + memset(buf, 0, sizeof(buf)); + + if (!X509_NAME_digest(issuer_name, dgst, md, &len)) + goto err; + if (!ASN1_OCTET_STRING_set(oct_str, md, len)) + goto err; + if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0) + goto err; + new_len = BIO_read(bio, buf, sizeof(buf)); + if (new_len > 0) + issuer_name_str = new StringVal(new_len, buf); + + //NOTE: the result string may contain "\\x0a" for sha384 and sha512 + // probably need to remove it from here? +err: + BIO_free_all(bio); + return issuer_name_str; + %} From 2743966fcc8628e525996eb2d3cab0dc1f2463e8 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 1 Jul 2015 17:00:41 -0700 Subject: [PATCH 005/147] add a script to combine ocsp with ssl --- .../policy/protocols/ssl/ocsp-measurement.bro | 467 ++++++++++++++++++ 1 file changed, 467 insertions(+) create mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro new file mode 100644 index 0000000000..a426e7e048 --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -0,0 +1,467 @@ +#! Match OCSP request and response to SSL connection for performance analysis + +@load base/protocols/http +@load base/frameworks/files +@load base/files/x509 +@load base/protocols/ssl +@load base/utils/queue + +module OCSP_MEASUREMENT; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## cert id for the OCSP request + cert_id: OCSP::CertId &log &optional; + + ## request + ## NOTE: this is only one request if multiple requests + ## are sent together in one HTTP message, they will be + ## logged separately + req: OCSP::Info_req &log &optional; + + ## response + ## NOTE: similar to request, if multiple responses are + ## sent together in one HTTP message, they will be + ## logged separately + resp: OCSP::Info_resp &log &optional; + + ## HTTP connection uid + cuid: string &log; + + ## for 1st request, this is the time between first TCP + ## SYN and resp_ts; for the rest of the requests in + ## the same connection, this is the time btween req_ts + ## and res_ts + delay: interval &log &optional; + + ## the size of HTTP request body + req_size: count &log &optional; + + ## the size of HTTP request header + req_hdr_size: count &log &optional; + + ## the size of HTTP response body + resp_size: count &log &optional; + + ## the size of HTTP response header + resp_hdr_size: count &log &optional; + + ## the HTTP code in the HTTP response + http_code: count &log &optional; + + ## OCSP host, this is host in HTTP request + host: string &log; + + ## OCSP uri, this is uri in HTTP request + uri: string &log; + + ## number of ocsp requests in this connection + ## including this one + num_ocsp: count &log &optional; + + ## the time when the corresponding certificate is + ## received + cert_recv_ts: time &log &optional; + + ## SSL connection uid + ssl_cuid: string &log &optional; + + ## SSL connection id + ssl_cid: conn_id &optional; + + ## the time when client receives change cipher message + ## from server + ssl_change_cipher_ts: time &log &optional; + + ## the time when SSL connection is established + ssl_establish_ts: time &log &optional; + }; + + ## - map to OCSP_MEASUREMENT::Info + ## - indexed by source ip(addr), ocsp uri(string), issuer name + ## hash(string), serialNumber(string) + ## - is it possible server sends two same certificate? To be + ## safe, let's use a queue to store OCSP_MEASUREMENT::Info + type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins; + + ## a group of constant string for hash algorithm + ## to save memory, remove any unseen hash algorithm + global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); + + ## Event from a worker to the manager that it has encountered + ## an OCSP response + global new_ocsp_info: event(c: connection) &redef; + + ## Event from the manager to the workers that a new OCSP info + ## is to be added. + global ocsp_info_add: event(c: connection); +} + +# by different hash algorithm, OCSP_Mapping +global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping; + +# track number of ocsp requests in this connection +redef record connection += { + num_ocsp: count &optional &default=0; + }; + +# add additional information to http info +redef record HTTP::Info += { + ## header length + request_header_len: count &optional &default=0; + response_header_len: count &optional &default=0; + + ## OCSP file id + ocsp_request_fuid: string &optional; + ocsp_response_fuid: string &optional; + + ## OCSP request and response timestamp + ocsp_request_ts: time &optional; + ocsp_response_ts: time &optional; + + ## store OCSP requests and responses + ocsp_request: OCSP::Request &optional; + ocsp_response: OCSP::Response &optional; +}; + +# add additional information to ssl info +redef record SSL::Info += { + ## connection start time + connection_start_ts: time &optional; + + ## client hello time + client_hello_ts: time &optional; + + ## ssl connection establish time + ssl_establish_ts: time &optional; + + ## the time when server sends change-cipher-spec + change_cipher_ts: time &optional; + + ## - the time when a cert is received AND the cert has ocsp + ## extension + ## - the 2nd level table indexed by source ip(addr), ocsp + ## uri(string), issuer name hash(string), serialNumber + ## (string) + ## - the 1st level table indexed by different hash algorithm + ## for issuer name hash + ## - is it possible a server sends two same certificate? To be + ## safe, let's use a queue to store the time + cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional; +}; + +# set up cluster event +@if ( Cluster::is_enabled() ) +@load base/frameworks/cluster +redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/; +redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/; +@endif + +# get all the requests in one HTTP request +function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue + { + local pending_requests: table[OCSP::CertId] of Queue::Queue = table(); + if ( http?$ocsp_request && http$ocsp_request?$requestList ) + { + local req = http$ocsp_request; + for (x in req$requestList) + { + local one_req = req$requestList[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + if (cert_id !in pending_requests) + pending_requests[cert_id] = Queue::init(); + + Queue::put(pending_requests[cert_id], req_rec); + } + } + return pending_requests; + } + +# remove the last '/' +function clean_uri(s: string): string + { + local s_len = |s|; + s_len -= 1; + if (s[-1] == "/") + return clean_uri(s[0:s_len]); + else + return s; + } + +# fill in OCSP/HTTP information +function fill_ocsp_info(c: connection) + { + local http: HTTP::Info = c$http; + + # get all the requests which will be matched to response later + local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http); + + # get all the responses and match them to the requests + if ( http?$ocsp_response && http$ocsp_response?$responses ) + { + local resp = http$ocsp_response; + for (x in resp$responses) + { + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + + local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, + $cuid = http$uid, $host = http$host, + $uri = http$uri, $resp = resp_rec, + $req_size = http$request_body_len, + $req_hdr_size = http$request_header_len, + $resp_size = http$response_body_len, + $resp_hdr_size = http$response_header_len, + $http_code = http$status_code]; + if (cert_id in pending_requests) + { + # find a match + local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); + ocsp_info$req = req_rec; + ocsp_info$num_ocsp = c$num_ocsp; + + if (c$num_ocsp == 0) + ocsp_info$delay = ocsp_info$req$ts - c$start_time; + else + ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; + + if (Queue::len(pending_requests[cert_id]) == 0) + delete pending_requests[cert_id]; #if queue is empty, delete it? + } + + # add to ocsp map + local full_uri: string = clean_uri(http$host + http$uri); + local h = cert_id$hashAlgorithm; + local src_ip: addr = c$id$orig_h; + + if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] ) + ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); + + Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); + } + + } + } + +# work event +@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) +event OCSP_MEASUREMENT::ocsp_info_add(c: connection) + { + fill_ocsp_info(c); + } +@endif + +# manager event +@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) +event OCSP_MEASUREMENT::new_ocsp_info(c: connection) + { + event OCSP_MEASUREMENT::ocsp_info_add(c); + } +@endif + +# record the header length +event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) + { + # proceed only this http connection has ocsp request or response + if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response ) + return; + + if ( is_orig ) + { + c$http$request_header_len = stat$header_length; + c$num_ocsp += 1; + } + else + { + c$http$response_header_len = stat$header_length; + # here, a http request-response is done + # if any ocsp info is present, put it in ocsp_map +@if ( ! Cluster::is_enabled() ) + fill_ocsp_info(c); +@endif + +@if ( Cluster::is_enabled() ) + # send this ocsp info to manager and manager will send + # it to all the workder + event OCSP_MEASUREMENT::new_ocsp_info(c); +@endif + } + } + +# add ocsp request to http record +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( !f?$http ) + return; + f$http$ocsp_request = req; + f$http$ocsp_request_ts = network_time(); + f$http$ocsp_request_fuid = f$id; + } + +# add ocsp response to http record +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( !f?$http ) + return; + f$http$ocsp_response = resp; + f$http$ocsp_response_ts = network_time(); + f$http$ocsp_response_fuid = f$id; + } + +# add client hello time and connection start time +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + { + c$ssl$client_hello_ts = network_time(); + c$ssl$connection_start_ts = c$start_time; + } + +# add time stamp for server's change cipher message +event ssl_change_cipher_spec(c: connection, is_orig: bool) + { + if ( is_orig ) + return; + c$ssl$change_cipher_ts = network_time(); + } + +# add ssl established time +event ssl_established(c: connection) + { + c$ssl$ssl_establish_ts = network_time(); + } + +# extract the full ocsp uri from certificate extension +function get_ocsp_uri(s: string): string + { + s = strip(s); + s = to_lower(s); + local parts = split_string(s, /\x0a/); + for (x in parts) + { + local f4c = sub_bytes(parts[x], 0, 4); + if (f4c == "ocsp") + { + local w = split_string(parts[x], /\/\//); + return w[1]; + } + } + return ""; + } + +# create ocsp index if ocsp extension is encountered +# record the time when certificate is received +event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { + if (!ext?$name || ext$name != "Authority Information Access") + return; + + if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate) + return; + + local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); + if ( |ocsp_uri| == 0 ) + return; + + local cert: X509::Certificate = f$info$x509$certificate; + local serial_number: string = cert$serial; + local cert_ref: opaque of x509 = f$info$x509$handle; + + # get connection + local c: connection; + # there should be only one loop + for ( id in f$conns ) + c = f$conns[id]; + + if ( !c$ssl?$cert_ts ) + c$ssl$cert_ts = table(); + + local current_ts: time = network_time(); + local source_ip: addr = c$id$orig_h; + + local issuer_name: table[string] of string; + # loop through each hash algorithm + for (i in hash_algorithm) + { + local h: string = hash_algorithm[i]; + issuer_name[h] = x509_issuer_name_hash(cert_ref, h); + + # if given hash algorithm is not in record, create a new table + if ( h !in c$ssl$cert_ts ) + c$ssl$cert_ts[h] = table(); + + # if given index is not in record, create a new queue + if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] ) + c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init(); + + # put the timing information in the queue of ssl info + Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts); + } + } + +# log information when ssl connection is removed +event connection_state_remove(c: connection) &priority= -20 + { + if ( ! c?$ssl || ! c$ssl?$cert_ts ) + return; + + for (i in hash_algorithm) + { + local h = hash_algorithm[i]; + for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) + { + if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] ) + { + # find a ocsp to ssl match + local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]; + local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; + ocsp_info$cert_recv_ts = cert_recv_ts; + ocsp_info$ssl_cuid = c$uid; + ocsp_info$ssl_cid = c$id; + ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; + ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; + Log::write(LOG, ocsp_info); + } + } + } + } + +event bro_init() + { + # initialize ocsp_map + for (i in hash_algorithm) + ocsp_map[hash_algorithm[i]] = table(); + + Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); + } From 386a5b811d667b6169f1f0fe8eff6a994681d2aa Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 14:23:38 -0700 Subject: [PATCH 006/147] add optional logging for parsed ocsp stapling message --- .../policy/protocols/ssl/ocsp-stapling.bro | 113 ++++++++++++++++++ .../analyzer/ocsp/CMakeLists.txt | 2 +- src/file_analysis/analyzer/ocsp/functions.bif | 36 ++++++ 3 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro create mode 100644 src/file_analysis/analyzer/ocsp/functions.bif diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro new file mode 100644 index 0000000000..0a0c92da1c --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -0,0 +1,113 @@ +#! Log ocsp stapling information + +module OCSP_STAPLING; + +export { + redef enum Log::ID += { LOG }; + type Info: record { + ## timestamp + ts: time &log; + + ## connection uid + cid: conn_id &log; + + ## connection uid + cuid: string &log; + + ## size of this response + size: count &log; + + ## responseStatus + responseStatus: string &log; + + ## responseType + responseType: string &log; + + ## version + version: count &log; + + ## responderID + responderID: string &log; + + ## producedAt + producedAt: string &log; + + ## NOTE: the following are specific to one cert id + ## the above are for one message which may contain + ## several responses + + ## index + idx: count &log &optional; + + ## cert id + cert_id: OCSP::CertId &log &optional; + + ## certStatus (this is the response to look at) + certStatus: string &log &optional; + + ## thisUpdate + thisUpdate: string &log &optional; + + ## nextUpdate + nextUpdate: string &log &optional; + }; +} + +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) + { + local resp: OCSP::Response = ocsp_parse_response(response); + + # TOCHECK: is this right? + local resp_size: count =|response|; + + if (resp?$responses) + { + local num: count = 0; + for (x in resp$responses) + { + num += 1; + local single_resp: OCSP::SingleResp = resp$responses[x]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: Info = [$ts = network_time(), + $cid = c$id, + $cuid = c$uid, + $size = resp_size, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $idx = num, + $cert_id = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + + if (single_resp?$nextUpdate) + resp_rec$nextUpdate = single_resp$nextUpdate; + Log::write(LOG, resp_rec); + } + } + else + { + # no response content? this is weird but log it anyway + local resp_rec_empty: Info = [$ts = network_time(), + $cid = c$id, + $cuid = c$uid, + $size = resp_size, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt]; + Log::write(LOG, resp_rec_empty); + } + } + +event bro_init() + { + Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]); + } diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt index d1cff9d157..12c54c1c84 100644 --- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt +++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt @@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro OCSP) bro_plugin_cc(OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif) +bro_plugin_bif(events.bif types.bif functions.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif new file mode 100644 index 0000000000..19d9ac1cb5 --- /dev/null +++ b/src/file_analysis/analyzer/ocsp/functions.bif @@ -0,0 +1,36 @@ +%%{ +#include "file_analysis/analyzer/ocsp/OCSP.h" +#include "types.bif.h" +%%} + +## Parses a OCSP response into an OCSP::Response structure. +## +## ocsp_reply: OCSP data. +## +## Returns: A OCSP::Response structure. +## +## .. bro:see:: ssl_stapled_ocsp +function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response + %{ + const unsigned char* start = ocsp_reply->Bytes(); + OCSP_RESPONSE *resp = NULL; + file_analysis::OCSP_RESPVal* resp_val = NULL; + RecordVal* resp_record = NULL; + resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len()); + if ( ! resp ) + { + reporter->Weird("OPENSSL Could not parse OCSP response"); + return NULL; + } + resp_val = new file_analysis::OCSP_RESPVal(resp); + resp_record = file_analysis::OCSP::ParseResponse(resp_val); + if (!resp_record) + { + reporter->Weird("Internal fail to parse OCSP response"); + Unref(resp_val); + return NULL; + } + Unref(resp_val); + //Unref(resp_record); + return resp_record; + %} From de17c12656d0a223d38c3c83fa866d2f6b54226f Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 14:51:07 -0700 Subject: [PATCH 007/147] add btest for ocsp-stapling logging --- .../ocsp-stapling.log | 10 ++++++++++ .../scripts/policy/protocols/ssl/ocsp-stapling.bro | 6 ++++++ 2 files changed, 16 insertions(+) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log create mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log new file mode 100644 index 0000000000..03964f7191 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp-stapling +#open 2015-07-02-21-49-21 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate +#types time addr port addr port string count string string count string string count string string string string string string string +1398367809.961683 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z +#close 2015-07-02-21-49-21 diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro new file mode 100644 index 0000000000..63b7e29e03 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -0,0 +1,6 @@ +# This tests logging of ocsp stapling message + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: btest-diff ocsp-stapling.log + +@load protocols/ssl/ocsp-stapling From 8844d344af4428819d8844ab83c3037679e5d3e3 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 2 Jul 2015 17:46:43 -0700 Subject: [PATCH 008/147] add connection in ocsp log --- scripts/base/files/ocsp/main.bro | 40 ++++++++++++++----- .../policy/protocols/ssl/ocsp-stapling.bro | 2 +- .../ocsp.log | 10 ++--- .../ocsp.log | 10 ++--- .../ocsp.log | 10 ++--- 5 files changed, 47 insertions(+), 25 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 602f23bcc5..c5ccd6df7f 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -23,6 +23,10 @@ export { ts: time; ## file id for this request id: string &log; + ## connection id + cid: conn_id &optional; + ## connection uid + cuid: string &optional; ## version version: count &log &optional; ## requestor name @@ -37,9 +41,13 @@ export { ## one ocsp response record type Info_resp: record { ## time for the response - ts: time; + ts: time &log; ## file id for this response id: string &log; + ## connection id + cid: conn_id &optional; + ## connection uid + cuid: string &optional; ## responseStatus (different from cert status?) responseStatus: string &log; ## responseType @@ -67,9 +75,21 @@ export { type Info: record { ## timestamp for request if a corresponding request is present ## OR timestamp for response if a corresponding request is not found - ts: time &log; + ts: time &log; + + ## connection id + cid: conn_id &log; + + ## connection uid + cuid: string &log; + + ## cert id certId: OCSP::CertId &log &optional; + + ## request req: Info_req &log &optional; + + ## response resp: Info_resp &log &optional; }; @@ -127,7 +147,7 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) $issuerKeyHash = one_req$issuerKeyHash, $serialNumber = one_req$serialNumber]; - local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id]; + local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid]; if (req?$version) req_rec$version = req$version; @@ -147,12 +167,12 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) else { # no request content? this is weird but log it anyway - local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id]; + local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid]; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } @@ -178,6 +198,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, + $cid=conn$id, $cuid=conn$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, @@ -193,14 +214,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); } } } @@ -208,12 +229,13 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # no response content? this is weird but log it anyway local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, + $cid=conn$id, $cuid=conn$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]); + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } @@ -223,7 +245,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue) Queue::get_vector(q, reqs); for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]); + Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]); } function log_unmatched_msgs(msgs: PendingRequests) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 0a0c92da1c..64c3d198f2 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -8,7 +8,7 @@ export { ## timestamp ts: time &log; - ## connection uid + ## connection id cid: conn_id &log; ## connection uid diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 9881f143c1..c9a4964207 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-33 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - -#close 2015-06-19-16-32-33 +#open 2015-07-03-00-39-57 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - +#close 2015-07-03-00-39-57 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index b21cadda9a..feb466e43f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-23 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-06-19-16-32-23 +#open 2015-07-03-00-40-58 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-07-03-00-40-58 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index f5a5c43c7c..7b86586eb8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-06-19-16-32-39 -#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time string string string string string count string string string string count string string string string string -1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-06-19-16-32-39 +#open 2015-07-03-00-38-40 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#types time addr port addr port string string string string string string count string time string string string count string string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z +#close 2015-07-03-00-38-40 From d18a96bc8d94a645bd443b0b1784c6ba48fe88b3 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 6 Jul 2015 16:12:52 -0700 Subject: [PATCH 009/147] separated field for ocsp response timestamp and update baseline --- scripts/base/files/ocsp/main.bro | 11 +++++++---- .../ocsp.log | 6 +++--- .../ocsp.log | 6 +++--- .../ocsp.log | 6 +++--- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index c5ccd6df7f..62a414d3cf 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -41,7 +41,7 @@ export { ## one ocsp response record type Info_resp: record { ## time for the response - ts: time &log; + ts: time; ## file id for this response id: string &log; ## connection id @@ -89,6 +89,9 @@ export { ## request req: Info_req &log &optional; + ## response timestamp + resp_ts: time &log &optional; + ## response resp: Info_resp &log &optional; }; @@ -214,14 +217,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { # find a match local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); if (Queue::len(conn$ocsp_requests[cert_id]) == 0) delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? } else { # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); } } } @@ -235,7 +238,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); + Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index c9a4964207..3ac21e3f22 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-39-57 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-03-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - -#close 2015-07-03-00-39-57 +#close 2015-07-06-23-03-35 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index feb466e43f..53c2b598d5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-40-58 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-05-10 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-03-00-40-58 +#close 2015-07-06-23-05-10 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 7b86586eb8..4889fdc434 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-03-00-38-40 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate +#open 2015-07-06-23-05-43 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate #types time addr port addr port string string string string string string count string time string string string count string string string string string 1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-03-00-38-40 +#close 2015-07-06-23-05-43 From e2c30f0005c26931d88488b806146cb497600f7c Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 6 Jul 2015 17:52:13 -0700 Subject: [PATCH 010/147] record more timestamp for ocsp measurement --- .../policy/protocols/ssl/ocsp-measurement.bro | 61 ++++++++++++------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro index a426e7e048..c95fd9b83e 100644 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -15,12 +15,18 @@ export { ## cert id for the OCSP request cert_id: OCSP::CertId &log &optional; + ## request timestamp + req_ts: time &log &optional; + ## request ## NOTE: this is only one request if multiple requests ## are sent together in one HTTP message, they will be ## logged separately req: OCSP::Info_req &log &optional; + ## response timestamp + resp_ts: time &log &optional; + ## response ## NOTE: similar to request, if multiple responses are ## sent together in one HTTP message, they will be @@ -30,10 +36,13 @@ export { ## HTTP connection uid cuid: string &log; + ## HTTP connection start time + conn_start_ts: time &log; + ## for 1st request, this is the time between first TCP ## SYN and resp_ts; for the rest of the requests in ## the same connection, this is the time btween req_ts - ## and res_ts + ## and resp_ts delay: interval &log &optional; ## the size of HTTP request body @@ -57,8 +66,10 @@ export { ## OCSP uri, this is uri in HTTP request uri: string &log; - ## number of ocsp requests in this connection - ## including this one + ## number of HTTP request containing ocsp requests in + ## this connection including this one; this may be + ## different from number of OCSP requests since one + ## HTTP request may contain several OCSP requests num_ocsp: count &log &optional; ## the time when the corresponding certificate is @@ -222,36 +233,42 @@ function fill_ocsp_info(c: connection) $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; - local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; + local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, + $id = http$ocsp_response_fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, - $cuid = http$uid, $host = http$host, - $uri = http$uri, $resp = resp_rec, - $req_size = http$request_body_len, - $req_hdr_size = http$request_header_len, - $resp_size = http$response_body_len, + local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, + $cuid = http$uid, + $conn_start_ts = c$start_time, + $host = http$host, + $uri = http$uri, + $resp_ts = resp_rec$ts, + $resp = resp_rec, + $req_size = http$request_body_len, + $req_hdr_size = http$request_header_len, + $resp_size = http$response_body_len, $resp_hdr_size = http$response_header_len, - $http_code = http$status_code]; + $http_code = http$status_code]; if (cert_id in pending_requests) { # find a match local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); - ocsp_info$req = req_rec; + ocsp_info$req = req_rec; + ocsp_info$req_ts = req_rec$ts; ocsp_info$num_ocsp = c$num_ocsp; - if (c$num_ocsp == 0) - ocsp_info$delay = ocsp_info$req$ts - c$start_time; + if (c$num_ocsp == 1) + ocsp_info$delay = ocsp_info$resp$ts - c$start_time; else ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; From 07891b3b66fbf86a188325a0eaedc24db9571b13 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 12:27:02 -0700 Subject: [PATCH 011/147] parse multiple OCSP stapling responses --- .../protocol/ssl/tls-handshake-analyzer.pac | 5 ++--- .../protocol/ssl/tls-handshake-protocol.pac | 18 +++++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 17432fa5cb..afca5dd77f 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -168,14 +168,13 @@ refine connection Handshake_Conn += { function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ - if ( status_type == 1 ) // ocsp + if ( status_type == 1 || status_type == 2 ) // ocsp { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), (const char*) response.data())); } - return true; %} @@ -255,7 +254,7 @@ refine typeattr ServerNameExt += &let { proc : bool = $context.connection.proc_server_name(rec, server_names); }; -refine typeattr CertificateStatus += &let { +refine typeattr OCSPResponse += &let { proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index b24352d099..722b6f1f59 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -139,11 +139,23 @@ type Certificate(rec: HandshakeRecord) = record { } &length = to_int()(length)+3; # OCSP Stapling +type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record { + length : uint24; + response : bytestring &length = to_int()(length); +} &length = to_int()(length)+3; + +type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record { + length : uint24; + response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0); +} &length = to_int()(length)+3; type CertificateStatus(rec: HandshakeRecord) = record { - status_type: uint8; # 1 = ocsp, everything else is undefined - length : uint24; - response: bytestring &restofdata; + status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined + which_type: case status_type of { + 1 -> ocsp_response : OCSPResponse(rec, status_type); + 2 -> ocsp_response_list : OCSPResponseList(rec, status_type); + default -> data : bytestring &restofdata &transient; # unknown + }; }; ###################################################################### From 15bf098e7a5c284ae84ac6910b7eb2afbc4e3aba Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 13:39:24 -0700 Subject: [PATCH 012/147] rename proc_certificate_status to proc_ocsp_response --- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index afca5dd77f..84a7936daf 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -166,7 +166,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool + function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ if ( status_type == 1 || status_type == 2 ) // ocsp { @@ -255,7 +255,7 @@ refine typeattr ServerNameExt += &let { }; refine typeattr OCSPResponse += &let { - proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); + proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response); }; refine typeattr EcServerKeyExchange += &let { From 545848d9067c9ce35e8825961ce82943d3c945ff Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 14:11:14 -0700 Subject: [PATCH 013/147] add parameter 'status_type' to event ssl_stapled_ocsp --- scripts/policy/protocols/ssl/ocsp-stapling.bro | 2 +- scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +++- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 3 ++- testing/btest/core/leaks/x509_ocsp_verify.bro | 2 +- testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 64c3d198f2..298f6d3990 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -53,7 +53,7 @@ export { }; } -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local resp: OCSP::Response = ocsp_parse_response(response); diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 3beabbe59c..6667d9fbae 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -27,7 +27,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 18704d25ec..09e9c2d75e 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -294,7 +294,9 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len ## is_orig: True if event is raised for originator side of the connection. ## ## response: OCSP data. -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); +## +## status_type: status_type in received OCSP stapled response +event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 84a7936daf..89177dfb51 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -173,7 +173,8 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), - (const char*) response.data())); + (const char*) response.data()), + status_type); } return true; %} diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro index ab24f28ee8..4a4d081e09 100644 --- a/testing/btest/core/leaks/x509_ocsp_verify.bro +++ b/testing/btest/core/leaks/x509_ocsp_verify.bro @@ -9,7 +9,7 @@ @load base/protocols/ssl -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 6424f263f1..440b1b2ebf 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -5,7 +5,7 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) From 694738752224b4579c028e6f4ccb155d2d38f3ed Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 14:21:53 -0700 Subject: [PATCH 014/147] add status_type to ocsp stapling log --- scripts/policy/protocols/ssl/ocsp-stapling.bro | 9 +++++++-- .../ocsp-stapling.log | 10 +++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 298f6d3990..30f69e3b9a 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -7,7 +7,10 @@ export { type Info: record { ## timestamp ts: time &log; - + + ## status type + status_type: count &log; + ## connection id cid: conn_id &log; @@ -73,7 +76,8 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty $serialNumber = single_resp$serialNumber]; local resp_rec: Info = [$ts = network_time(), - $cid = c$id, + $status_type = status_type, + $cid = c$id, $cuid = c$uid, $size = resp_size, $responseStatus = resp$responseStatus, @@ -95,6 +99,7 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty { # no response content? this is weird but log it anyway local resp_rec_empty: Info = [$ts = network_time(), + $status_type = status_type, $cid = c$id, $cuid = c$uid, $size = resp_size, diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log index 03964f7191..c8d4c9d8e6 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp-stapling -#open 2015-07-02-21-49-21 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate -#types time addr port addr port string count string string count string string count string string string string string string string -1398367809.961683 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z -#close 2015-07-02-21-49-21 +#open 2015-07-08-21-19-54 +#fields ts status_type cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate +#types time count addr port addr port string count string string count string string count string string string string string string string +1398367809.961683 1 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z +#close 2015-07-08-21-19-54 From 535525e28364f1547de095688000b5032e7758d9 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 18:20:29 -0700 Subject: [PATCH 015/147] fix a memory leak --- src/file_analysis/analyzer/ocsp/OCSP.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index ea90967cfc..d49d8d4beb 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -532,6 +532,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_resp_record->Assign(7, new StringVal(len, buf)); } clean_up: + if (basic_resp) + OCSP_BASICRESP_free(basic_resp); return ocsp_resp_record; } From 406fec9ef41fae467ff258ef965ca03ef7cc5b9a Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 9 Jul 2015 11:56:58 -0700 Subject: [PATCH 016/147] potentially fix a memory problem ocsp-measurement --- .../policy/protocols/ssl/ocsp-measurement.bro | 37 +++++++++---------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro index c95fd9b83e..b883a36fdc 100644 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro @@ -88,14 +88,10 @@ export { ## the time when SSL connection is established ssl_establish_ts: time &log &optional; - }; - ## - map to OCSP_MEASUREMENT::Info - ## - indexed by source ip(addr), ocsp uri(string), issuer name - ## hash(string), serialNumber(string) - ## - is it possible server sends two same certificate? To be - ## safe, let's use a queue to store OCSP_MEASUREMENT::Info - type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins; + ## the time when event connection_state_remove happens + ssl_end_ts: time &log &optional; + }; ## a group of constant string for hash algorithm ## to save memory, remove any unseen hash algorithm @@ -110,8 +106,12 @@ export { global ocsp_info_add: event(c: connection); } -# by different hash algorithm, OCSP_Mapping -global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping; +## - map to OCSP_MEASUREMENT::Info +## - indexed by hash algorithm(string), source ip(addr), ocsp +## uri(string), issuer name hash(string), serialNumber(string) +## - is it possible server sends two same certificate? To be +## safe, let's use a queue to store OCSP_MEASUREMENT::Info +global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins; # track number of ocsp requests in this connection redef record connection += { @@ -281,10 +281,10 @@ function fill_ocsp_info(c: connection) local h = cert_id$hashAlgorithm; local src_ip: addr = c$id$orig_h; - if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] ) - ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); + if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map ) + ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); - Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); + Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); } } @@ -454,12 +454,12 @@ event connection_state_remove(c: connection) &priority= -20 local h = hash_algorithm[i]; for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) { - if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] ) + if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map ) { # find a ocsp to ssl match - local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]; + local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]); + if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0) + delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]; local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; @@ -468,6 +468,7 @@ event connection_state_remove(c: connection) &priority= -20 ocsp_info$ssl_cid = c$id; ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; + ocsp_info$ssl_end_ts = network_time(); Log::write(LOG, ocsp_info); } } @@ -476,9 +477,5 @@ event connection_state_remove(c: connection) &priority= -20 event bro_init() { - # initialize ocsp_map - for (i in hash_algorithm) - ocsp_map[hash_algorithm[i]] = table(); - Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); } From 9553c8aefc1452947183631e6852ab367cc232bb Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sun, 12 Jul 2015 13:52:26 -0700 Subject: [PATCH 017/147] separated logging for ocsp and ssl --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 577 ++++++++++++++++++ 1 file changed, 577 insertions(+) create mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro new file mode 100644 index 0000000000..8f24fa2d47 --- /dev/null +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -0,0 +1,577 @@ +#! log OCSP request, response and related HTTP information +#! log SSL connection which has cert with OCSP uri + +@load base/protocols/http +@load base/frameworks/files +@load base/files/x509 +@load base/protocols/ssl +@load base/utils/queue + +module OCSP_SSL_SPLIT; + +export { + redef enum Log::ID += { LOG_OCSP }; + redef enum Log::ID += { LOG_SSL }; + + type PendingRequests: table[OCSP::CertId] of Queue::Queue; + + type OCSP_Request_Type: record { + ts: time; + fuid: string; + req: OCSP::Request; + }; + + type OCSP_Response_Type: record { + ts: time; + fuid: string; + resp: OCSP::Response; + }; + + type Info_OCSP: record { + ## cert id for the OCSP request + cert_id: OCSP::CertId &log &optional; + + ## request timestamp + req_ts: time &log &optional; + + ## one OCSP request may contain several OCSP requests + ## with different cert id; this is the index of the + ## OCSP request with cert_id in the big OCSP request + req_index: count &log &optional; + + ## request + ## NOTE: this is only one request if multiple requests + ## are sent together in one HTTP message, they will be + ## logged separately + req: OCSP::Info_req &log &optional; + + ## response timestamp + resp_ts: time &log &optional; + + ## one OCSP response may contain several OCSP responses + ## with different cert id; this is the index of the + ## OCSP response with cert_id in the big OCSP response + resp_index: count &log &optional; + + ## response + ## NOTE: similar to request, if multiple responses are + ## sent together in one HTTP message, they will be + ## logged separately + resp: OCSP::Info_resp &log &optional; + + ## HTTP connection id + cid: conn_id &log; + + ## HTTP connection uid + cuid: string &log; + + ## HTTP connection start time + conn_start_ts: time &log; + + ## the time between req_ts and resp_ts + delay: interval &log &optional; + + ## the size of HTTP request body + req_size: count &log &optional; + + ## the size of HTTP request header + req_hdr_size: count &log &optional; + + ## the size of HTTP response body + resp_size: count &log &optional; + + ## the size of HTTP response header + resp_hdr_size: count &log &optional; + + ## the HTTP code in the HTTP response + http_code: count &log &optional; + + ## OCSP host, this is host in HTTP request + host: string &log &optional; + + ## OCSP uri, this is uri in HTTP request + uri: string &log &optional; + + ## number of HTTP requests containing ocsp requests in + ## this connection including this one; this may be + ## different from number of OCSP requests since one + ## HTTP request may contain several OCSP requests; + ## this is copied from connection + num_ocsp: count &log &optional; + }; + + type Info_SSL: record { + ## connection id + id: conn_id &log; + + ## uid + uid: string &log; + + ## connection start time + conn_start_ts: time &log &optional; + + ## client hello time + client_hello_ts: time &log &optional; + + ## the time when client receives change cipher message + ## from server + change_cipher_ts: time &log &optional; + + ## the time when SSL connection is established + establish_ts: time &log &optional; + + ## the time when event connection_state_remove happens + end_ts: time &log &optional; + + ## the above are common information for SSL connection + ## the following is specific to an cert + + ## ocsp_uri + ocsp_uri: string &log &optional; + + ## serial_number + serial_number: string &log &optional; + + ## the time when the corresponding certificate is + ## received; formatted as: str(time),str(time) + cert_recv_ts: string &log &optional; + + ## issuer_name + ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2 + issuer_name: string &log &optional; + }; + + ## a group of constant string for hash algorithm; to save + ## memory, remove any unseen hash algorithm + global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); +} + +redef record connection += { + ## track number of ocsp requests in this connection + num_ocsp: count &optional &default=0; + }; + +# add additional information to http info +redef record HTTP::Info += { + ## header length + request_header_len: count &optional &default=0; + response_header_len: count &optional &default=0; + + ## OCSP_Request_Type + ocsp_requests: vector of OCSP_Request_Type &optional; + + ## OCSP_Response_Type + ocsp_responses: vector of OCSP_Response_Type &optional; + + ## connection start time, copied from connection + conn_start_ts: time &optional; + + ## number of OCSP requests so far, copied from connection + num_ocsp: count &optional; +}; + +# add additional information to ssl info +redef record SSL::Info += { + ## connection start time + conn_start_ts: time &optional; + + ## the time when client hello event happens + client_hello_ts: time &optional; + + ## the time when ssl connection is established + establish_ts: time &optional; + + ## the time when server sends change-cipher-spec + change_cipher_ts: time &optional; + + ## indexed by ocsp_uri(string), serialNumber(string), issuer + ## name hash(string). issuer name hash is formatted as: + ## hash_algorithm1:value1,hash_algorithm2:value2 + cert_ts: table[string, string, string] of Queue::Queue &optional; +}; + +# remove the last '/' +function clean_uri(s: string): string + { + local s_len = |s|; + s_len -= 1; + if (s[-1] == "/") + return clean_uri(s[0:s_len]); + else + return s; + } + +# record the header length and update num_ocsp and conn_start_ts +event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) + { + # proceed only this http connection has ocsp request or response + if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses ) + return; + + if ( is_orig ) + { + c$http$request_header_len = stat$header_length; + c$num_ocsp += 1; + } + else + { + c$http$response_header_len = stat$header_length; + } + c$http$num_ocsp = c$num_ocsp; + c$http$conn_start_ts = c$start_time; + } + +# add ocsp request to http record +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( ! f?$http ) + return; + local request: OCSP_Request_Type = [$ts = network_time(), + $fuid = f$id, + $req = req]; + if ( ! f$http?$ocsp_requests ) + f$http$ocsp_requests = vector(); + f$http$ocsp_requests[|f$http$ocsp_requests|] = request; + } + +# add ocsp response to http record +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( ! f?$http ) + return; + local response: OCSP_Response_Type = [$ts = network_time(), + $fuid = f$id, + $resp = resp]; + if ( ! f$http?$ocsp_responses ) + f$http$ocsp_responses = vector(); + f$http$ocsp_responses[|f$http$ocsp_responses|] = response; + } + +# add client hello time and connection start time +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + { + c$ssl$client_hello_ts = network_time(); + c$ssl$conn_start_ts = c$start_time; + } + +# add time stamp for server's change cipher message +event ssl_change_cipher_spec(c: connection, is_orig: bool) + { + if ( ! is_orig ) + c$ssl$change_cipher_ts = network_time(); + } + +# add ssl established time +event ssl_established(c: connection) + { + c$ssl$establish_ts = network_time(); + } + +# extract the full ocsp uri from certificate extension +function get_ocsp_uri(s: string): string + { + s = strip(s); + s = to_lower(s); + local parts = split_string(s, /\x0a/); + for (x in parts) + { + local f4c = sub_bytes(parts[x], 0, 4); + if (f4c == "ocsp") + { + local w = split_string(parts[x], /\/\//); + return w[1]; + } + } + return ""; + } + +# create ocsp index if ocsp extension is encountered +# record the time when certificate is received +event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { + if ( ! ext?$name || ext$name != "Authority Information Access") + return; + + if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate) + return; + + local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); + if ( |ocsp_uri| == 0 ) + return; + + local cert: X509::Certificate = f$info$x509$certificate; + local serial_number: string = cert$serial; + local cert_ref: opaque of x509 = f$info$x509$handle; + + # get connection TODO:TOCHECK + local c: connection; + # there should be only one loop? + for ( id in f$conns ) + c = f$conns[id]; + + if ( ! c$ssl?$cert_ts ) + c$ssl$cert_ts = table(); + + local current_ts: time = network_time(); + local issuer_name: string = ""; + + # loop through each hash algorithm + for ( i in hash_algorithm ) + { + local h: string = hash_algorithm[i]; + + # formatted as: hash_algorithm1:value1,hash_algorithm2:value2 + issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h); + if ( i != (|hash_algorithm| - 1)) + issuer_name += ","; + } + + # if given index is not in record, create a new queue + if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) + c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init(); + + # put the timing information in the queue + Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); + } + +# log unmatched ocsp request or response +function log_unmatched_ocsp_queue (q: Queue::Queue) + { + local rec: vector of OCSP_SSL_SPLIT::Info_OCSP; + Queue::get_vector(q, rec); + for ( i in rec ) + Log::write(LOG_OCSP, rec[i]); + } + +# log unmatched ocsp request or response +function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) + { + for ( cert_id in ocsp ) + log_unmatched_ocsp_queue(ocsp[cert_id]); + clear_table(ocsp); + } + +# update http data in ocsp info record +function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) + { + if ( http?$host ) + ocsp$host = http$host; + + if ( http?$uri ) + ocsp$uri = http$uri; + + if ( http?$status_code ) + ocsp$http_code = http$status_code; + + if ( http?$request_body_len ) + ocsp$req_size = http$request_body_len; + + if ( http?$request_header_len ) + ocsp$req_hdr_size = http$request_header_len; + + if ( http?$response_body_len ) + ocsp$resp_size = http$response_body_len; + + if ( http?$response_header_len ) + ocsp$resp_hdr_size = http$response_header_len; + } + +# get all the ocsp requests +function get_ocsp_requests(http: HTTP::Info): PendingRequests + { + local pending_ocsp_requests: PendingRequests = table(); + + if ( ! http?$ocsp_requests ) + return pending_ocsp_requests; + + for ( x in http$ocsp_requests ) + { + local request: OCSP_Request_Type = http$ocsp_requests[x]; + if ( ! request?$req ) + next; + + local req: OCSP::Request = request$req; + if ( ! req?$requestList ) + next; + + local req_index: count = 0; + for ( y in req$requestList ) + { + req_index += 1; + local one_req = req$requestList[y]; + local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, + $issuerNameHash = one_req$issuerNameHash, + $issuerKeyHash = one_req$issuerKeyHash, + $serialNumber = one_req$serialNumber]; + + local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id]; + + if (req?$version) + req_rec$version = req$version; + + if (req?$requestorName) + req_rec$requestorName = req$requestorName; + + local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, + $req_ts = request$ts, + $req_index = req_index, + $req = req_rec, + $cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts, + $num_ocsp = http$num_ocsp]; + update_http_info(ocsp_info_rec, http); + + if ( cert_id !in pending_ocsp_requests ) + pending_ocsp_requests[cert_id] = Queue::init(); + + Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec); + } + } + return pending_ocsp_requests; + } + +# log OCSP +function start_log_ocsp(http: HTTP::Info) + { + if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) + return; + + local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http); + + if ( ! http?$ocsp_responses ) + { + log_unmatched_ocsp(pending_ocsp_requests); + return; + } + + for ( x in http$ocsp_responses ) + { + local response: OCSP_Response_Type = http$ocsp_responses[x]; + if ( ! response?$resp ) + next; + + local resp: OCSP::Response = response$resp; + if ( ! resp?$responses ) + next; + + local resp_index: count = 0; + for ( y in resp$responses ) + { + resp_index += 1; + local single_resp: OCSP::SingleResp = resp$responses[y]; + local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, + $issuerNameHash = single_resp$issuerNameHash, + $issuerKeyHash = single_resp$issuerKeyHash, + $serialNumber = single_resp$serialNumber]; + + local resp_rec: OCSP::Info_resp = [$ts = response$ts, + $id = response$fuid, + $responseStatus = resp$responseStatus, + $responseType = resp$responseType, + $version = resp$version, + $responderID = resp$responderID, + $producedAt = resp$producedAt, + $certId = cert_id, + $certStatus = single_resp$certStatus, + $thisUpdate = single_resp$thisUpdate]; + if ( single_resp?$nextUpdate ) + resp_rec$nextUpdate = single_resp$nextUpdate; + + if ( cert_id in pending_ocsp_requests) + { + # find a match + local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]); + ocsp_info$resp = resp_rec; + ocsp_info$resp_ts = response$ts; + ocsp_info$resp_index = resp_index; + + # update http info, previously filled in fill_ocsp_request + update_http_info(ocsp_info, http); + + ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; + + if (Queue::len(pending_ocsp_requests[cert_id]) == 0) + delete pending_ocsp_requests[cert_id]; + + Log::write(LOG_OCSP, ocsp_info); + } + else + { + local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, + $resp_ts = resp_rec$ts, + $resp_index = resp_index, + $resp = resp_rec, + $cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts, + $num_ocsp = http$num_ocsp]; + update_http_info(ocsp_info_noreq, http); + Log::write(LOG_OCSP, ocsp_info_noreq); + } + } + } + if ( |pending_ocsp_requests| != 0 ) + log_unmatched_ocsp(pending_ocsp_requests); + } + +# log OCSP information +event HTTP::log_http(rec: HTTP::Info) + { + start_log_ocsp(rec); + } + +# update ssl info +function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) + { + if ( ssl?$conn_start_ts ) + ssl_rec$conn_start_ts = ssl$conn_start_ts; + + if ( ssl?$client_hello_ts ) + ssl_rec$client_hello_ts = ssl$client_hello_ts; + + if ( ssl?$establish_ts ) + ssl_rec$establish_ts = ssl$establish_ts; + + if ( ssl?$change_cipher_ts ) + ssl_rec$change_cipher_ts = ssl$change_cipher_ts; + } + +# log SSL information when ssl connection is removed +event connection_state_remove(c: connection) &priority= -20 + { + if ( ! c?$ssl || ! c$ssl?$cert_ts ) + return; + + for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts ) + { + local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, + $uid = c$uid, + $end_ts = network_time()]; + + ssl_info_rec$ocsp_uri = ocsp_uri; + ssl_info_rec$serial_number = serial_number; + ssl_info_rec$issuer_name = issuer_name; + + # convert all the elements in the queue to a formatted string + local cert_recv_ts_str: string = ""; + local elem: vector of time; + Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem); + for ( i in elem ) + { + cert_recv_ts_str += fmt("%f",elem[i]); + if ( i != (|elem| - 1)) + issuer_name += ","; + } + ssl_info_rec$cert_recv_ts = cert_recv_ts_str; + update_ssl_info(ssl_info_rec, c$ssl); + Log::write(LOG_SSL, ssl_info_rec); + #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; + } + clear_table(c$ssl$cert_ts); + } + +event bro_init() + { + Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]); + Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]); + } From 1f5a7aecbc1a2c348c1d2e6efa575d3afead754e Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 13 Jul 2015 15:23:56 -0700 Subject: [PATCH 018/147] change log schema for ocsp-ssl-split.bro --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 125 ++++++++++++------ 1 file changed, 87 insertions(+), 38 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 8f24fa2d47..d292697a69 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -86,11 +86,9 @@ export { ## the HTTP code in the HTTP response http_code: count &log &optional; - ## OCSP host, this is host in HTTP request - host: string &log &optional; - - ## OCSP uri, this is uri in HTTP request - uri: string &log &optional; + ## host in HTTP request + uri in HTTP request + ## last '/' is removed + ocsp_uri: string &log &optional; ## number of HTTP requests containing ocsp requests in ## this connection including this one; this may be @@ -100,6 +98,14 @@ export { num_ocsp: count &log &optional; }; + type Issuer_Name_Type: record { + sha1: string &log &optional; + sha224: string &log &optional; + sha256: string &log &optional; + sha384: string &log &optional; + sha512: string &log &optional; + }; + type Info_SSL: record { ## connection id id: conn_id &log; @@ -112,14 +118,22 @@ export { ## client hello time client_hello_ts: time &log &optional; + + ## server hello time + server_hello_ts: time &log &optional; - ## the time when client receives change cipher message - ## from server - change_cipher_ts: time &log &optional; + ## the time for client change cipher message + client_change_cipher_ts: time &log &optional; + + ## the time for server change cipher message + server_change_cipher_ts: time &log &optional; ## the time when SSL connection is established establish_ts: time &log &optional; + ## the time for the first encrypted application data + client_first_encrypt_ts: time &log &optional; + ## the time when event connection_state_remove happens end_ts: time &log &optional; @@ -137,15 +151,12 @@ export { cert_recv_ts: string &log &optional; ## issuer_name - ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2 - issuer_name: string &log &optional; + issuer_name: Issuer_Name_Type &log &optional; }; - - ## a group of constant string for hash algorithm; to save - ## memory, remove any unseen hash algorithm - global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); } +redef SSL::disable_analyzer_after_detection=F; + redef record connection += { ## track number of ocsp requests in this connection num_ocsp: count &optional &default=0; @@ -178,22 +189,32 @@ redef record SSL::Info += { ## the time when client hello event happens client_hello_ts: time &optional; + ## server hello time + server_hello_ts: time &optional; + ## the time when ssl connection is established establish_ts: time &optional; - ## the time when server sends change-cipher-spec - change_cipher_ts: time &optional; - + ## the time for client change cipher message + client_change_cipher_ts: time &optional; + + ## the time for server change cipher message + server_change_cipher_ts: time &optional; + ## indexed by ocsp_uri(string), serialNumber(string), issuer - ## name hash(string). issuer name hash is formatted as: - ## hash_algorithm1:value1,hash_algorithm2:value2 - cert_ts: table[string, string, string] of Queue::Queue &optional; + ## name hash(string) + cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; + + ## the time for the first encrypted application data + client_first_encrypt_ts: time &optional; }; # remove the last '/' function clean_uri(s: string): string { local s_len = |s|; + if ( s_len == 0 ) + return s; s_len -= 1; if (s[-1] == "/") return clean_uri(s[0:s_len]); @@ -247,6 +268,12 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo f$http$ocsp_responses[|f$http$ocsp_responses|] = response; } +# add server hello time +event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 + { + c$ssl$server_hello_ts = network_time(); + } + # add client hello time and connection start time event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) { @@ -257,8 +284,10 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_ # add time stamp for server's change cipher message event ssl_change_cipher_spec(c: connection, is_orig: bool) { - if ( ! is_orig ) - c$ssl$change_cipher_ts = network_time(); + if ( is_orig ) + c$ssl$client_change_cipher_ts = network_time(); + else + c$ssl$server_change_cipher_ts = network_time(); } # add ssl established time @@ -267,6 +296,16 @@ event ssl_established(c: connection) c$ssl$establish_ts = network_time(); } +# add time when first encrypted application data is sent from client +event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) + { + if ( ! c?$ssl ) + return; + + if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts ) + c$ssl$client_first_encrypt_ts = network_time(); + } + # extract the full ocsp uri from certificate extension function get_ocsp_uri(s: string): string { @@ -312,18 +351,13 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { c$ssl$cert_ts = table(); local current_ts: time = network_time(); - local issuer_name: string = ""; - - # loop through each hash algorithm - for ( i in hash_algorithm ) - { - local h: string = hash_algorithm[i]; - # formatted as: hash_algorithm1:value1,hash_algorithm2:value2 - issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h); - if ( i != (|hash_algorithm| - 1)) - issuer_name += ","; - } + local issuer_name: Issuer_Name_Type; + issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1"); + issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224"); + issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256"); + issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384"); + issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512"); # if given index is not in record, create a new queue if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) @@ -354,10 +388,16 @@ function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { if ( http?$host ) - ocsp$host = http$host; + ocsp$ocsp_uri = http$host; if ( http?$uri ) - ocsp$uri = http$uri; + if ( ocsp?$ocsp_uri ) + ocsp$ocsp_uri += http$uri; + else + ocsp$ocsp_uri = http$uri; + + if ( ocsp?$ocsp_uri ) + ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); if ( http?$status_code ) ocsp$http_code = http$status_code; @@ -529,11 +569,20 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) if ( ssl?$client_hello_ts ) ssl_rec$client_hello_ts = ssl$client_hello_ts; + if ( ssl?$client_first_encrypt_ts ) + ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; + + if ( ssl?$server_hello_ts ) + ssl_rec$server_hello_ts = ssl$server_hello_ts; + if ( ssl?$establish_ts ) ssl_rec$establish_ts = ssl$establish_ts; - if ( ssl?$change_cipher_ts ) - ssl_rec$change_cipher_ts = ssl$change_cipher_ts; + if ( ssl?$client_change_cipher_ts ) + ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts; + + if ( ssl?$server_change_cipher_ts ) + ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; } # log SSL information when ssl connection is removed @@ -560,7 +609,7 @@ event connection_state_remove(c: connection) &priority= -20 { cert_recv_ts_str += fmt("%f",elem[i]); if ( i != (|elem| - 1)) - issuer_name += ","; + cert_recv_ts_str += ","; } ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); From 01094bfc43545267ffff3679fbdac12656069777 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 00:40:39 -0700 Subject: [PATCH 019/147] add parsing ocsp request in get url --- scripts/base/files/ocsp/main.bro | 292 +++++++++++++----- src/file_analysis/analyzer/ocsp/OCSP.cc | 2 +- src/file_analysis/analyzer/ocsp/functions.bif | 34 +- 3 files changed, 253 insertions(+), 75 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 62a414d3cf..62d7d2e785 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -14,7 +14,7 @@ export { redef enum Log::ID += { LOG }; ## type for pending ocsp request - type PendingRequests: table[OCSP::CertId] of Queue::Queue; + type PendingQueue: table[OCSP::CertId] of Queue::Queue; ## NOTE: one file could contain several requests ## one ocsp request record @@ -22,7 +22,7 @@ export { ## time for the request ts: time; ## file id for this request - id: string &log; + id: string &log &optional; ## connection id cid: conn_id &optional; ## connection uid @@ -35,6 +35,8 @@ export { ## several ocsp requests ## request cert id certId: OCSP::CertId &optional; + ## HTTP method + method: string &optional; }; ## NOTE: one file could contain several response @@ -94,52 +96,68 @@ export { ## response resp: Info_resp &log &optional; + + ## HTTP method + method: string &log &optional; }; ## Event for accessing logged OCSP records. global log_ocsp: event(rec: Info); } -redef record connection += { - ## keep track of pending requests received so for - ocsp_requests: PendingRequests &optional; +redef record HTTP::Info += { + # there should be one request and response but use Queue here + # just in case + ocsp_requests: PendingQueue &optional; + ocsp_responses: PendingQueue &optional; + + current_content_type: string &optional &default=""; + original_uri: string &optional; + + # flag for checking get uri + checked_get: bool &optional &default=F; }; -event bro_init() &priority=5 +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { - Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + c$http$original_uri = original_URI; } -function get_http_info(f: fa_file, meta: fa_metadata) +event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) { - if (f$source != "HTTP" || !meta?$mime_type) + c$http$current_content_type = to_lower(ty + "/" + subty); + } + +function check_ocsp_file(f: fa_file, meta: fa_metadata) + { + if ( f$source != "HTTP" || ! f?$http ) return; # call OCSP file analyzer - if (meta$mime_type == "application/ocsp-request") + if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request") + { Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); - else if (meta$mime_type == "application/ocsp-response") + } + else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response") + { Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); + } } event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 { if (f$source == "HTTP") - get_http_info(f, meta); + check_ocsp_file(f, meta); } -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 +function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) { - local conn: connection; - local cid: conn_id; - - # there should be only one loop: one connection - for (id in f$conns) - { - cid = id; - conn = f$conns[id]; - } + if ( http?$method ) + req_rec$method = http$method; + } +function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time) + { if (req?$requestList) { for (x in req$requestList) @@ -149,47 +167,57 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) $issuerNameHash = one_req$issuerNameHash, $issuerKeyHash = one_req$issuerKeyHash, $serialNumber = one_req$serialNumber]; - - local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid]; - - if (req?$version) + local req_rec: OCSP::Info_req = [$ts = req_ts, + $certId = cert_id, + $cid = http$id, + $cuid = http$uid]; + if ( |file_id| > 0 && http$method != "GET" ) + req_rec$id = file_id; + + if ( req?$version ) req_rec$version = req$version; - if (req?$requestorName) + if ( req?$requestorName ) req_rec$requestorName = req$requestorName; - if (!conn?$ocsp_requests) - conn$ocsp_requests = table(); + if ( ! http?$ocsp_requests ) + http$ocsp_requests = table(); - if (cert_id !in conn$ocsp_requests) - conn$ocsp_requests[cert_id] = Queue::init(); + if ( cert_id !in http$ocsp_requests ) + http$ocsp_requests[cert_id] = Queue::init(); - Queue::put(conn$ocsp_requests[cert_id], req_rec); + update_http_info(http, req_rec); + Queue::put(http$ocsp_requests[cert_id], req_rec); } } else { # no request content? this is weird but log it anyway - local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid]; + local req_rec_empty: OCSP::Info_req = [$ts = req_ts, + $cid = http$id, + $cuid = http$uid]; + if ( |file_id| > 0 && http$method != "GET" ) + req_rec_empty$id = file_id; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]); + update_http_info(http, req_rec_empty); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]); } + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 + { + if ( ! f?$http ) + return; + enq_request(f$http, req, f$id, network_time()); } event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { - local conn: connection; - local cid: conn_id; - - # there should be only one loop - for (id in f$conns) - { - cid = id; - conn = f$conns[id]; - } + if ( ! f?$http ) + return; if (resp?$responses) { @@ -200,8 +228,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $issuerNameHash = single_resp$issuerNameHash, $issuerKeyHash = single_resp$issuerKeyHash, $serialNumber = single_resp$serialNumber]; - local resp_rec: Info_resp = [$ts = network_time(), $id = f$id, - $cid=conn$id, $cuid=conn$uid, + local resp_rec: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, @@ -213,56 +243,172 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if (single_resp?$nextUpdate) resp_rec$nextUpdate = single_resp$nextUpdate; - if (conn?$ocsp_requests && cert_id in conn$ocsp_requests) - { - # find a match - local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); - Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); - if (Queue::len(conn$ocsp_requests[cert_id]) == 0) - delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? - } - else - { - # do not find a match; this is weird but log it - Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]); - } + if ( ! f$http?$ocsp_responses ) + f$http$ocsp_responses = table(); + + if ( cert_id !in f$http$ocsp_responses ) + f$http$ocsp_responses[cert_id] = Queue::init(); + + Queue::put(f$http$ocsp_responses[cert_id], resp_rec); } } else { # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id, - $cid=conn$id, $cuid=conn$uid, + local resp_rec_empty: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, $responseStatus = resp$responseStatus, $responseType = resp$responseType, $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt]; - Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]); + local info_rec: Info = [$ts = resp_rec_empty$ts, + $resp_ts = resp_rec_empty$ts, + $resp = resp_rec_empty, + $cid = f$http$id, + $cuid = f$http$uid]; + if ( f$http?$method ) + info_rec$method = f$http$method; + Log::write(LOG, info_rec); } } -function log_unmatched_msgs_queue(q: Queue::Queue) +function log_unmatched_reqs_queue(q: Queue::Queue) { local reqs: vector of Info_req; Queue::get_vector(q, reqs); - for ( i in reqs ) - Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]); + { + local info_rec: Info = [$ts = reqs[i]$ts, + $certId = reqs[i]$certId, + $req = reqs[i], + $cid = reqs[i]$cid, + $cuid = reqs[i]$cuid]; + if ( reqs[i]?$method ) + info_rec$method = reqs[i]$method; + Log::write(LOG, info_rec); + } } -function log_unmatched_msgs(msgs: PendingRequests) +function log_unmatched_reqs(reqs: PendingQueue) { - for ( cert_id in msgs ) - log_unmatched_msgs_queue(msgs[cert_id]); - - clear_table(msgs); + for ( cert_id in reqs ) + log_unmatched_reqs_queue(reqs[cert_id]); + clear_table(reqs); } -# need to log unmatched ocsp request if any -event connection_state_remove(c: connection) &priority= -5 +function remove_first_slash(s: string): string { - if (! c?$ocsp_requests) + local s_len = |s|; + if (s[0] == "/") + return s[1:s_len]; + else + return s; + } + +function get_uri_prefix(s: string): string + { + s = remove_first_slash(s); + local w = split_string(s, /\//); + if (|w| > 1) + return w[0]; + else + return ""; + } + +function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request + { + local parsed_req: OCSP::Request; + if ( ! http?$original_uri ) + return parsed_req;; + + local uri: string = remove_first_slash(http$uri); + local uri_prefix: string = get_uri_prefix(http$original_uri); + local ocsp_req_str: string; + + if ( |uri_prefix| == 0 ) + { + ocsp_req_str = uri; + } + else if (|uri_prefix| > 0) + { + uri_prefix += "/"; + ocsp_req_str = uri[|uri_prefix|:]; + } + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + return parsed_req; + } + +function start_log_ocsp(http: HTTP::Info) + { + if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) return; - log_unmatched_msgs(c$ocsp_requests); + + if ( ! http?$ocsp_responses ) + { + log_unmatched_reqs(http$ocsp_requests); + return; + } + + for ( cert_id in http$ocsp_responses ) + { + while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) + { + # have unmatched responses + local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]); + local info_rec: Info = [$ts = resp_rec$ts, + $certId = resp_rec$certId, + $resp_ts = resp_rec$ts, + $resp = resp_rec, + $cid = http$id, + $cuid = http$uid, + $method = http$method]; + + if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) + { + # find a match + local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]); + info_rec$req = req_rec; + info_rec$ts = req_rec$ts; + if (Queue::len(http$ocsp_requests[cert_id]) == 0) + delete http$ocsp_requests[cert_id]; + } + else + { + if ( http$method == "GET" && ! http$checked_get ) + { + http$checked_get = T; + local req_get: OCSP::Request = check_ocsp_request_uri(http); + enq_request(http, req_get, "", http$ts); + if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) + { + # find a match + local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]); + info_rec$req = req_rec_tmp; + info_rec$ts = req_rec_tmp$ts; + if (Queue::len(http$ocsp_requests[cert_id]) == 0) + delete http$ocsp_requests[cert_id]; + } + } + } + Log::write(LOG, info_rec); + } + if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) + delete http$ocsp_responses[cert_id]; + } + if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) + log_unmatched_reqs(http$ocsp_requests); + } + +# log OCSP information +event HTTP::log_http(rec: HTTP::Info) + { + start_log_ocsp(rec); + } + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); } diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index d49d8d4beb..d0b1a62f90 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -373,7 +373,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) { len = -1; len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); - if (len > 1) + if (len > 0) ocsp_req_record->Assign(1, new StringVal(len, buf)); } diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif index 19d9ac1cb5..164b4a63ec 100644 --- a/src/file_analysis/analyzer/ocsp/functions.bif +++ b/src/file_analysis/analyzer/ocsp/functions.bif @@ -9,7 +9,7 @@ ## ## Returns: A OCSP::Response structure. ## -## .. bro:see:: ssl_stapled_ocsp +## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response %{ const unsigned char* start = ocsp_reply->Bytes(); @@ -34,3 +34,35 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response //Unref(resp_record); return resp_record; %} + +## Parses a OCSP request into an OCSP::Request structure. +## +## ocsp_req: OCSP data. +## +## Returns: A OCSP::Request structure. +## +## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response +function ocsp_parse_request%(ocsp_req: string%): OCSP::Request + %{ + const unsigned char* start = ocsp_req->Bytes(); + OCSP_REQUEST *req = NULL; + file_analysis::OCSP_REQVal* req_val = NULL; + RecordVal* req_record = NULL; + req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len()); + if ( ! req ) + { + reporter->Weird("OPENSSL Could not parse OCSP request"); + return NULL; + } + req_val = new file_analysis::OCSP_REQVal(req); + req_record = file_analysis::OCSP::ParseRequest(req_val); + if (!req_record) + { + reporter->Weird("Internal fail to parse OCSP request"); + Unref(req_val); + return NULL; + } + Unref(req_val); + //Unref(req_record); + return req_record; + %} From c2f1c428f0b460923d27df5f2134dd6bb10e68fc Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 01:06:12 -0700 Subject: [PATCH 020/147] fix a bug and update baseline --- scripts/base/files/ocsp/main.bro | 7 ++++--- .../ocsp.log | 10 +++++----- .../ocsp.log | 10 +++++----- .../ocsp.log | 10 +++++----- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 62d7d2e785..f567b7fb8a 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -363,8 +363,7 @@ function start_log_ocsp(http: HTTP::Info) $resp_ts = resp_rec$ts, $resp = resp_rec, $cid = http$id, - $cuid = http$uid, - $method = http$method]; + $cuid = http$uid]; if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) { @@ -377,7 +376,7 @@ function start_log_ocsp(http: HTTP::Info) } else { - if ( http$method == "GET" && ! http$checked_get ) + if ( http?$method && http$method == "GET" && ! http$checked_get ) { http$checked_get = T; local req_get: OCSP::Request = check_ocsp_request_uri(http); @@ -393,6 +392,8 @@ function start_log_ocsp(http: HTTP::Info) } } } + if ( http?$method ) + info_rec$method = http$method; Log::write(LOG, info_rec); } if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 3ac21e3f22..555d7436f1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-03-35 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - -#close 2015-07-06-23-03-35 +#open 2015-07-15-07-54-54 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - POST +#close 2015-07-15-07-54-54 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 53c2b598d5..a57882aa1c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-05-10 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-06-23-05-10 +#open 2015-07-15-07-55-45 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z POST +#close 2015-07-15-07-55-45 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 4889fdc434..d4c551027e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-06-23-05-43 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate -#types time addr port addr port string string string string string string count string time string string string count string string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z -#close 2015-07-06-23-05-43 +#open 2015-07-15-08-02-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z - +#close 2015-07-15-08-02-35 From fc35ab9bf5b78f088a795f35c01e54ec82c01b84 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 01:30:46 -0700 Subject: [PATCH 021/147] add a btest for ocsp http get --- .../ocsp.log | 10 ++++++++++ testing/btest/Traces/tls/ocsp-http-get.pcap | Bin 0 -> 1812 bytes .../base/protocols/ssl/ocsp-http-get.test | 4 ++++ 3 files changed, 14 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-http-get.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log new file mode 100644 index 0000000000..8ceb5e9770 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-07-15-08-22-46 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string time string string string count string string string string string string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 - 0 - 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z good 20150711011056Z 20150718011056Z GET +#close 2015-07-15-08-22-46 diff --git a/testing/btest/Traces/tls/ocsp-http-get.pcap b/testing/btest/Traces/tls/ocsp-http-get.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e264d59f2b0ed64290cd7fc9c43d68c23bbb0eae GIT binary patch literal 1812 zcmaKs4@?tx6vyvMTeVt6M;PGTZetk!mEJ*H%OOgEwty6nwtojY{9uL=!|69Ow_nd-S1ZdPIPPfOMdt6 z-RHgEd*9zX|Hb}6879Xb{Nxx8A9i%V<8+qEu?o0H3tQTIbz5|+&~R#D=WNW3Vat=p zi?AZ)@%m$Xl);Piv7FH%tVZrybR9Vl$i(@e`r7tli_L6XzuIA{DE2wUQlG8F>T{Zkiydt`tEl(8c<;LU zl4g5tU>#@)QdY*FmRsClTJ5w;q}AdN8}ow<z9ITwp$Qb#^aV4p3_E`ZNDY-gMTX)4{E zFYNXKngE=}Y0m~+%t1fxVCFo$m*IRg;cI7vY{CoHvTg~eRV6&f0S^jG69E7Ojhkg! zpMgjtB7^aN?7^#+>CC9F1wT4jz1ux%llr~_W;r~fZMI}lreNE0YV<75mk z5Fcby2{@nRrwN@QPpzug)Z6Wv8j+W#>JG&ehjh{uk!y^ac_M3~3>c)GgDY2UY?i2M-*J z%6rgT+%O8C@J+3>LHL-$uFC%=Xul&;9+pA>WXxGT1(!X=76aU;} z`rttNjd_OMs=4>`WR9IZKR#p4I-53pVTc*gZdv~B^UXco1K$<>wrj`zy<4ls#yd`b zd`5G2Ueet)eLY*egJ0dNyqG);GM_ri22Mv8I@3ITV=pz0zOr)O#z1n1>)JPM;lsC^ zGFEus+P7iz>Pz`Wul@Dpf+rTI?`d@1db8=wBOV=$o;Nbded|E*(Lh$ z&-PT-|%(>y53t`a`{)CkKZ=+jVJqRlitR`Kn{&-0Ry*%3qlH{HJqbVSeh# z-G@7`b)Dzlu9B{_(RX^$O{;@9?SH2Jud%7W=HVHg5be0o-2$inAI&|}GkPVuzyAQq CCRr%} literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test new file mode 100644 index 0000000000..10ccc80c63 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -0,0 +1,4 @@ +# This tests a normal OCSP request sent through HTTP GET + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT +# @TEST-EXEC: btest-diff ocsp.log From fb757d96a6724f199d9d194148c331ba51c8145a Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 10:39:46 -0700 Subject: [PATCH 022/147] clean up ocsp/main.bro --- scripts/base/files/ocsp/main.bro | 110 ++++++++++++++----------------- 1 file changed, 50 insertions(+), 60 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index f567b7fb8a..6c23bb2de9 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -214,6 +214,48 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) enq_request(f$http, req, f$id, network_time()); } +function remove_first_slash(s: string): string + { + local s_len = |s|; + if (s[0] == "/") + return s[1:s_len]; + else + return s; + } + +function get_uri_prefix(s: string): string + { + s = remove_first_slash(s); + local w = split_string(s, /\//); + if (|w| > 1) + return w[0]; + else + return ""; + } + +function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request + { + local parsed_req: OCSP::Request; + if ( ! http?$original_uri ) + return parsed_req;; + + local uri: string = remove_first_slash(http$uri); + local uri_prefix: string = get_uri_prefix(http$original_uri); + local ocsp_req_str: string; + + if ( |uri_prefix| == 0 ) + { + ocsp_req_str = uri; + } + else if (|uri_prefix| > 0) + { + uri_prefix += "/"; + ocsp_req_str = uri[|uri_prefix|:]; + } + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + return parsed_req; + } + event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { if ( ! f?$http ) @@ -273,6 +315,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo info_rec$method = f$http$method; Log::write(LOG, info_rec); } + + # check if there is a OCSP GET request + if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get ) + { + f$http$checked_get = T; + local req_get: OCSP::Request = check_ocsp_request_uri(f$http); + enq_request(f$http, req_get, "", f$http$ts); + } } function log_unmatched_reqs_queue(q: Queue::Queue) @@ -299,48 +349,6 @@ function log_unmatched_reqs(reqs: PendingQueue) clear_table(reqs); } -function remove_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return s[1:s_len]; - else - return s; - } - -function get_uri_prefix(s: string): string - { - s = remove_first_slash(s); - local w = split_string(s, /\//); - if (|w| > 1) - return w[0]; - else - return ""; - } - -function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request - { - local parsed_req: OCSP::Request; - if ( ! http?$original_uri ) - return parsed_req;; - - local uri: string = remove_first_slash(http$uri); - local uri_prefix: string = get_uri_prefix(http$original_uri); - local ocsp_req_str: string; - - if ( |uri_prefix| == 0 ) - { - ocsp_req_str = uri; - } - else if (|uri_prefix| > 0) - { - uri_prefix += "/"; - ocsp_req_str = uri[|uri_prefix|:]; - } - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - return parsed_req; - } - function start_log_ocsp(http: HTTP::Info) { if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) @@ -374,24 +382,6 @@ function start_log_ocsp(http: HTTP::Info) if (Queue::len(http$ocsp_requests[cert_id]) == 0) delete http$ocsp_requests[cert_id]; } - else - { - if ( http?$method && http$method == "GET" && ! http$checked_get ) - { - http$checked_get = T; - local req_get: OCSP::Request = check_ocsp_request_uri(http); - enq_request(http, req_get, "", http$ts); - if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) - { - # find a match - local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]); - info_rec$req = req_rec_tmp; - info_rec$ts = req_rec_tmp$ts; - if (Queue::len(http$ocsp_requests[cert_id]) == 0) - delete http$ocsp_requests[cert_id]; - } - } - } if ( http?$method ) info_rec$method = http$method; Log::write(LOG, info_rec); From f0c642cd25550a6d8dcd4bad82662e4f36a1c475 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 15 Jul 2015 13:31:41 -0700 Subject: [PATCH 023/147] update logging for ocsp and baseline --- scripts/base/files/ocsp/main.bro | 63 +++-- .../policy/protocols/ssl/ocsp-ssl-split.bro | 243 +++--------------- .../ocsp.log | 10 +- .../ocsp.log | 10 +- .../ocsp.log | 10 +- 5 files changed, 98 insertions(+), 238 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 6c23bb2de9..39b4671bb9 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -21,7 +21,8 @@ export { type Info_req: record { ## time for the request ts: time; - ## file id for this request + ## file id for this request or + ## hash of the GET url if it's GET request id: string &log &optional; ## connection id cid: conn_id &optional; @@ -31,8 +32,14 @@ export { version: count &log &optional; ## requestor name requestorName: string &log &optional; + ## NOTE: the above are for one file which may contain ## several ocsp requests + + ## one OCSP request may contain several OCSP requests + ## with different cert id; this is the index of the + ## OCSP request with cert_id in the big OCSP request + index: count &log &optional; ## request cert id certId: OCSP::CertId &optional; ## HTTP method @@ -64,6 +71,11 @@ export { ## NOTE: the following are specific to one cert id ## the above are for one file which may contain ## several responses + + ## one OCSP response may contain several OCSP responses + ## with different cert id; this is the index of the + ## OCSP response with cert_id in the big OCSP response + index: count &log &optional; ##cert id certId: OCSP::CertId &optional; ## certStatus (this is the response to look at) @@ -99,10 +111,15 @@ export { ## HTTP method method: string &log &optional; + + ## HTTP record + http: HTTP::Info &optional; }; ## Event for accessing logged OCSP records. global log_ocsp: event(rec: Info); + + global get_uri_prefix: function(s: string): string; } redef record HTTP::Info += { @@ -156,10 +173,12 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) req_rec$method = http$method; } -function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time) +function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { + local index: count = 0; if (req?$requestList) { + index += 1; for (x in req$requestList) { local one_req = req$requestList[x]; @@ -170,10 +189,10 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ local req_rec: OCSP::Info_req = [$ts = req_ts, $certId = cert_id, $cid = http$id, - $cuid = http$uid]; - if ( |file_id| > 0 && http$method != "GET" ) - req_rec$id = file_id; - + $cuid = http$uid, + $index = index, + $id = req_id]; + if ( req?$version ) req_rec$version = req$version; @@ -195,15 +214,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ # no request content? this is weird but log it anyway local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, - $cuid = http$uid]; - if ( |file_id| > 0 && http$method != "GET" ) - req_rec_empty$id = file_id; + $cuid = http$uid, + $id = req_id]; if (req?$version) req_rec_empty$version = req$version; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; update_http_info(http, req_rec_empty); - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]); + Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } } @@ -263,8 +281,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if (resp?$responses) { + local index: count = 0; for (x in resp$responses) { + index += 1; local single_resp: OCSP::SingleResp = resp$responses[x]; local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, $issuerNameHash = single_resp$issuerNameHash, @@ -279,6 +299,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $version = resp$version, $responderID = resp$responderID, $producedAt = resp$producedAt, + $index = index, $certId = cert_id, $certStatus = single_resp$certStatus, $thisUpdate = single_resp$thisUpdate]; @@ -310,7 +331,8 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo $resp_ts = resp_rec_empty$ts, $resp = resp_rec_empty, $cid = f$http$id, - $cuid = f$http$uid]; + $cuid = f$http$uid, + $http = f$http]; if ( f$http?$method ) info_rec$method = f$http$method; Log::write(LOG, info_rec); @@ -321,11 +343,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { f$http$checked_get = T; local req_get: OCSP::Request = check_ocsp_request_uri(f$http); - enq_request(f$http, req_get, "", f$http$ts); + enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts); } } -function log_unmatched_reqs_queue(q: Queue::Queue) +function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info) { local reqs: vector of Info_req; Queue::get_vector(q, reqs); @@ -335,17 +357,19 @@ function log_unmatched_reqs_queue(q: Queue::Queue) $certId = reqs[i]$certId, $req = reqs[i], $cid = reqs[i]$cid, - $cuid = reqs[i]$cuid]; + $cuid = reqs[i]$cuid, + $http = http]; if ( reqs[i]?$method ) info_rec$method = reqs[i]$method; Log::write(LOG, info_rec); } } -function log_unmatched_reqs(reqs: PendingQueue) +function log_unmatched_reqs(http: HTTP::Info) { + local reqs: PendingQueue = http$ocsp_requests; for ( cert_id in reqs ) - log_unmatched_reqs_queue(reqs[cert_id]); + log_unmatched_reqs_queue(reqs[cert_id], http); clear_table(reqs); } @@ -356,7 +380,7 @@ function start_log_ocsp(http: HTTP::Info) if ( ! http?$ocsp_responses ) { - log_unmatched_reqs(http$ocsp_requests); + log_unmatched_reqs(http); return; } @@ -371,7 +395,8 @@ function start_log_ocsp(http: HTTP::Info) $resp_ts = resp_rec$ts, $resp = resp_rec, $cid = http$id, - $cuid = http$uid]; + $cuid = http$uid, + $http = http]; if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) { @@ -390,7 +415,7 @@ function start_log_ocsp(http: HTTP::Info) delete http$ocsp_responses[cert_id]; } if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) - log_unmatched_reqs(http$ocsp_requests); + log_unmatched_reqs(http); } # log OCSP information diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index d292697a69..4594c55cfc 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -13,31 +13,12 @@ export { redef enum Log::ID += { LOG_OCSP }; redef enum Log::ID += { LOG_SSL }; - type PendingRequests: table[OCSP::CertId] of Queue::Queue; - - type OCSP_Request_Type: record { - ts: time; - fuid: string; - req: OCSP::Request; - }; - - type OCSP_Response_Type: record { - ts: time; - fuid: string; - resp: OCSP::Response; - }; - type Info_OCSP: record { ## cert id for the OCSP request cert_id: OCSP::CertId &log &optional; ## request timestamp req_ts: time &log &optional; - - ## one OCSP request may contain several OCSP requests - ## with different cert id; this is the index of the - ## OCSP request with cert_id in the big OCSP request - req_index: count &log &optional; ## request ## NOTE: this is only one request if multiple requests @@ -48,11 +29,6 @@ export { ## response timestamp resp_ts: time &log &optional; - ## one OCSP response may contain several OCSP responses - ## with different cert id; this is the index of the - ## OCSP response with cert_id in the big OCSP response - resp_index: count &log &optional; - ## response ## NOTE: similar to request, if multiple responses are ## sent together in one HTTP message, they will be @@ -86,8 +62,12 @@ export { ## the HTTP code in the HTTP response http_code: count &log &optional; + ## HTTP method + method: string &log &optional; + ## host in HTTP request + uri in HTTP request ## last '/' is removed + ## for GET request, OCSP request is remove from url ocsp_uri: string &log &optional; ## number of HTTP requests containing ocsp requests in @@ -168,12 +148,6 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## OCSP_Request_Type - ocsp_requests: vector of OCSP_Request_Type &optional; - - ## OCSP_Response_Type - ocsp_responses: vector of OCSP_Response_Type &optional; - ## connection start time, copied from connection conn_start_ts: time &optional; @@ -242,32 +216,6 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) c$http$conn_start_ts = c$start_time; } -# add ocsp request to http record -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( ! f?$http ) - return; - local request: OCSP_Request_Type = [$ts = network_time(), - $fuid = f$id, - $req = req]; - if ( ! f$http?$ocsp_requests ) - f$http$ocsp_requests = vector(); - f$http$ocsp_requests[|f$http$ocsp_requests|] = request; - } - -# add ocsp response to http record -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( ! f?$http ) - return; - local response: OCSP_Response_Type = [$ts = network_time(), - $fuid = f$id, - $resp = resp]; - if ( ! f$http?$ocsp_responses ) - f$http$ocsp_responses = vector(); - f$http$ocsp_responses[|f$http$ocsp_responses|] = response; - } - # add server hello time event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 { @@ -367,26 +315,14 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); } -# log unmatched ocsp request or response -function log_unmatched_ocsp_queue (q: Queue::Queue) - { - local rec: vector of OCSP_SSL_SPLIT::Info_OCSP; - Queue::get_vector(q, rec); - for ( i in rec ) - Log::write(LOG_OCSP, rec[i]); - } - -# log unmatched ocsp request or response -function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue) - { - for ( cert_id in ocsp ) - log_unmatched_ocsp_queue(ocsp[cert_id]); - clear_table(ocsp); - } - -# update http data in ocsp info record function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { + if ( http?$num_ocsp ) + ocsp$num_ocsp = http$num_ocsp; + + if ( http?$method ) + ocsp$method = http$method; + if ( http?$host ) ocsp$ocsp_uri = http$host; @@ -396,9 +332,18 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) else ocsp$ocsp_uri = http$uri; + if ( http?$method && http$method == "GET" && http?$original_uri ) + { + local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri); + if ( http?$host ) + ocsp$ocsp_uri = http$host; + if ( |uri_prefix| > 0) + ocsp$ocsp_uri += "/" + uri_prefix; + } + if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); - + if ( http?$status_code ) ocsp$http_code = http$status_code; @@ -415,147 +360,37 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) ocsp$resp_hdr_size = http$response_header_len; } -# get all the ocsp requests -function get_ocsp_requests(http: HTTP::Info): PendingRequests +function start_log_ocsp(rec: OCSP::Info) { - local pending_ocsp_requests: PendingRequests = table(); + local http: HTTP::Info = rec$http; + local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, + $cuid = http$uid, + $conn_start_ts = http$conn_start_ts]; - if ( ! http?$ocsp_requests ) - return pending_ocsp_requests; - - for ( x in http$ocsp_requests ) + if ( rec?$certId ) + info_ocsp_rec$cert_id = rec$certId; + + if ( rec?$req ) { - local request: OCSP_Request_Type = http$ocsp_requests[x]; - if ( ! request?$req ) - next; - - local req: OCSP::Request = request$req; - if ( ! req?$requestList ) - next; - - local req_index: count = 0; - for ( y in req$requestList ) - { - req_index += 1; - local one_req = req$requestList[y]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; - - local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id]; - - if (req?$version) - req_rec$version = req$version; - - if (req?$requestorName) - req_rec$requestorName = req$requestorName; - - local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, - $req_ts = request$ts, - $req_index = req_index, - $req = req_rec, - $cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts, - $num_ocsp = http$num_ocsp]; - update_http_info(ocsp_info_rec, http); - - if ( cert_id !in pending_ocsp_requests ) - pending_ocsp_requests[cert_id] = Queue::init(); - - Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec); - } + info_ocsp_rec$req = rec$req; + info_ocsp_rec$req_ts = rec$req$ts; } - return pending_ocsp_requests; - } -# log OCSP -function start_log_ocsp(http: HTTP::Info) - { - if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) - return; - - local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http); - - if ( ! http?$ocsp_responses ) + if ( rec?$resp ) { - log_unmatched_ocsp(pending_ocsp_requests); - return; + info_ocsp_rec$resp = rec$resp; + info_ocsp_rec$resp_ts = rec$resp$ts; } - - for ( x in http$ocsp_responses ) - { - local response: OCSP_Response_Type = http$ocsp_responses[x]; - if ( ! response?$resp ) - next; - local resp: OCSP::Response = response$resp; - if ( ! resp?$responses ) - next; + if ( rec?$req && rec?$resp ) + info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; - local resp_index: count = 0; - for ( y in resp$responses ) - { - resp_index += 1; - local single_resp: OCSP::SingleResp = resp$responses[y]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: OCSP::Info_resp = [$ts = response$ts, - $id = response$fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - if ( single_resp?$nextUpdate ) - resp_rec$nextUpdate = single_resp$nextUpdate; - - if ( cert_id in pending_ocsp_requests) - { - # find a match - local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]); - ocsp_info$resp = resp_rec; - ocsp_info$resp_ts = response$ts; - ocsp_info$resp_index = resp_index; - - # update http info, previously filled in fill_ocsp_request - update_http_info(ocsp_info, http); - - ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; - - if (Queue::len(pending_ocsp_requests[cert_id]) == 0) - delete pending_ocsp_requests[cert_id]; - - Log::write(LOG_OCSP, ocsp_info); - } - else - { - local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id = cert_id, - $resp_ts = resp_rec$ts, - $resp_index = resp_index, - $resp = resp_rec, - $cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts, - $num_ocsp = http$num_ocsp]; - update_http_info(ocsp_info_noreq, http); - Log::write(LOG_OCSP, ocsp_info_noreq); - } - } - } - if ( |pending_ocsp_requests| != 0 ) - log_unmatched_ocsp(pending_ocsp_requests); + update_http_info(info_ocsp_rec, http); + Log::write(LOG_OCSP, info_ocsp_rec); } # log OCSP information -event HTTP::log_http(rec: HTTP::Info) +event OCSP::log_ocsp(rec: OCSP::Info) { start_log_ocsp(rec); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 555d7436f1..1cb587ca17 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-07-54-54 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - - - POST -#close 2015-07-15-07-54-54 +#open 2015-07-15-20-25-27 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST +#close 2015-07-15-20-25-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index a57882aa1c..881f614583 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-07-55-45 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z POST -#close 2015-07-15-07-55-45 +#open 2015-07-15-20-24-10 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z POST +#close 2015-07-15-20-24-11 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index d4c551027e..4027016f1d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-08-02-35 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z - -#close 2015-07-15-08-02-35 +#open 2015-07-15-20-26-35 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z - +#close 2015-07-15-20-26-36 From 00a0313967b71ac496e468fac84c89d51b987749 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 18:10:05 -0700 Subject: [PATCH 024/147] fix a bug for parsing OCSP Get request --- scripts/base/files/ocsp/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 39b4671bb9..b605374d51 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -236,7 +236,7 @@ function remove_first_slash(s: string): string { local s_len = |s|; if (s[0] == "/") - return s[1:s_len]; + return remove_first_slash(s[1:s_len]); else return s; } From cb0aa7725ee2e3b131305b3777b29bf8b2ad894d Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 18:20:57 -0700 Subject: [PATCH 025/147] fix a few bug for logging --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 59 ++++++++++++------- .../ocsp.log | 10 ++-- 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 4594c55cfc..2862a96dfb 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -148,11 +148,8 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## connection start time, copied from connection - conn_start_ts: time &optional; - - ## number of OCSP requests so far, copied from connection - num_ocsp: count &optional; + ## connection used to get num_ocsp and connection start time + conn: connection &optional; }; # add additional information to ssl info @@ -196,24 +193,47 @@ function clean_uri(s: string): string return s; } -# record the header length and update num_ocsp and conn_start_ts +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) + { + if ( ! f?$http ) + return; + # check if there is a OCSP GET request + if ( f$http?$method && f$http$method == "GET" ) + f$http$conn$num_ocsp += 1; + } + +event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) + { + if ( ! f?$http ) + return; + f$http$conn$num_ocsp += 1; + } + +event http_reply (c: connection, version: string, code: count, reason: string) + { + if ( ! c?$http ) + return; + if ( ! c$http?$conn ) + c$http$conn = c; + } + +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) + { + if ( ! c?$http ) + return; + if ( ! c$http?$conn ) + c$http$conn = c; + } + +# record the header length event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) { - # proceed only this http connection has ocsp request or response - if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses ) - return; - + if ( ! c?$http ) + return; if ( is_orig ) - { c$http$request_header_len = stat$header_length; - c$num_ocsp += 1; - } else - { c$http$response_header_len = stat$header_length; - } - c$http$num_ocsp = c$num_ocsp; - c$http$conn_start_ts = c$start_time; } # add server hello time @@ -317,8 +337,7 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { - if ( http?$num_ocsp ) - ocsp$num_ocsp = http$num_ocsp; + ocsp$num_ocsp = http$conn$num_ocsp; if ( http?$method ) ocsp$method = http$method; @@ -365,7 +384,7 @@ function start_log_ocsp(rec: OCSP::Info) local http: HTTP::Info = rec$http; local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, $cuid = http$uid, - $conn_start_ts = http$conn_start_ts]; + $conn_start_ts = http$conn$start_time]; if ( rec?$certId ) info_ocsp_rec$cert_id = rec$certId; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 8ceb5e9770..692581c871 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-08-22-46 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string time string string string count string string string string string string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 - 0 - 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z good 20150711011056Z 20150718011056Z GET -#close 2015-07-15-08-22-46 +#open 2015-07-15-20-38-15 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z 1 good 20150711011056Z 20150718011056Z GET +#close 2015-07-15-20-38-15 From d20925f230bf9ced2f167af9c3fb030db5277cee Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 19:07:13 -0700 Subject: [PATCH 026/147] make parsing GET url more robust --- scripts/base/files/ocsp/main.bro | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index b605374d51..d93ee7a673 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -232,6 +232,15 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) enq_request(f$http, req, f$id, network_time()); } +function get_first_slash(s: string): string + { + local s_len = |s|; + if (s[0] == "/") + return "/" + get_first_slash(s[1:s_len]); + else + return ""; + } + function remove_first_slash(s: string): string { local s_len = |s|; @@ -243,12 +252,11 @@ function remove_first_slash(s: string): string function get_uri_prefix(s: string): string { - s = remove_first_slash(s); - local w = split_string(s, /\//); + local uri_prefix = get_first_slash(s); + local w = split_string(s[|uri_prefix|:], /\//); if (|w| > 1) - return w[0]; - else - return ""; + uri_prefix += w[0] + "/"; + return uri_prefix; } function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request @@ -256,20 +264,8 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request local parsed_req: OCSP::Request; if ( ! http?$original_uri ) return parsed_req;; - - local uri: string = remove_first_slash(http$uri); local uri_prefix: string = get_uri_prefix(http$original_uri); - local ocsp_req_str: string; - - if ( |uri_prefix| == 0 ) - { - ocsp_req_str = uri; - } - else if (|uri_prefix| > 0) - { - uri_prefix += "/"; - ocsp_req_str = uri[|uri_prefix|:]; - } + local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); return parsed_req; } From 569e637eb15b737f7622f81f050ba356c6f4eef5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 16 Jul 2015 19:31:58 -0700 Subject: [PATCH 027/147] small changes for parsing GET url --- scripts/base/files/ocsp/main.bro | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index d93ee7a673..020ba096cf 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -254,8 +254,12 @@ function get_uri_prefix(s: string): string { local uri_prefix = get_first_slash(s); local w = split_string(s[|uri_prefix|:], /\//); - if (|w| > 1) - uri_prefix += w[0] + "/"; + local i = 0; + while ( i < (|w| - 1) ) + { + uri_prefix += w[i] + "/"; + i += 1; + } return uri_prefix; } From 6c9b49a5d7e6eb7116afb45c1f0a6bc90baeac0f Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 17 Jul 2015 16:00:18 -0700 Subject: [PATCH 028/147] fix a bug for ocsp-ssl-split.bro --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 2862a96dfb..2dee529cf1 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -439,6 +439,21 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; } +# convert all the elements in the queue to a formatted string +function convert_time_q2str(q: Queue::Queue, sep: string): string + { + local s = ""; + local elem: vector of time = vector(); + Queue::get_vector(q, elem); + for ( i in elem ) + { + s += fmt("%f",elem[i]); + if ( i != (|elem| - 1)) + s += sep; + } + return s; + } + # log SSL information when ssl connection is removed event connection_state_remove(c: connection) &priority= -20 { @@ -450,22 +465,12 @@ event connection_state_remove(c: connection) &priority= -20 local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, $uid = c$uid, $end_ts = network_time()]; - ssl_info_rec$ocsp_uri = ocsp_uri; ssl_info_rec$serial_number = serial_number; ssl_info_rec$issuer_name = issuer_name; - - # convert all the elements in the queue to a formatted string - local cert_recv_ts_str: string = ""; - local elem: vector of time; - Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem); - for ( i in elem ) - { - cert_recv_ts_str += fmt("%f",elem[i]); - if ( i != (|elem| - 1)) - cert_recv_ts_str += ","; - } - ssl_info_rec$cert_recv_ts = cert_recv_ts_str; + local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ","); + if (|cert_recv_ts_str| > 0) + ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); Log::write(LOG_SSL, ssl_info_rec); #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; From 0c3b03ac8da95edbf730611b17c2886565573be5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 01:06:31 -0700 Subject: [PATCH 029/147] log original uri and fix GET url parsing --- scripts/base/files/ocsp/main.bro | 18 ++++++++++++++++-- .../policy/protocols/ssl/ocsp-ssl-split.bro | 6 ++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 020ba096cf..551322b4bc 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -176,7 +176,7 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { local index: count = 0; - if (req?$requestList) + if ( req?$requestList && |req$requestList| > 0 ) { index += 1; for (x in req$requestList) @@ -271,6 +271,20 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request local uri_prefix: string = get_uri_prefix(http$original_uri); local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) + { + # normal parse fails, bug url, natively try each part + local w = split_string(http$original_uri, /\//); + local s = ""; + for ( i in w ) + { + s += "/" + w[i]; + ocsp_req_str = http$uri[|s|:]; + parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); + if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) + break; + } + } return parsed_req; } @@ -279,7 +293,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if ( ! f?$http ) return; - if (resp?$responses) + if ( resp?$responses && |resp$responses| > 0 ) { local index: count = 0; for (x in resp$responses) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 2dee529cf1..69bffb19ed 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -76,6 +76,9 @@ export { ## HTTP request may contain several OCSP requests; ## this is copied from connection num_ocsp: count &log &optional; + + ## the original_uri in HTTP request + original_uri: string &log &optional; }; type Issuer_Name_Type: record { @@ -342,6 +345,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$method ) ocsp$method = http$method; + if ( http?$original_uri ) + ocsp$original_uri = http$original_uri; + if ( http?$host ) ocsp$ocsp_uri = http$host; From 4e8d15d8d19f82e04f2cffb48e9fcc976efe1950 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 01:53:28 -0700 Subject: [PATCH 030/147] small bug fix --- scripts/base/files/ocsp/main.bro | 7 +++++++ scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 9 +++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 551322b4bc..80fd356f29 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -133,6 +133,9 @@ redef record HTTP::Info += { # flag for checking get uri checked_get: bool &optional &default=F; + + # uri prefix: this the GET url without ocsp request + uri_prefix: string &optional; }; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) @@ -269,6 +272,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request if ( ! http?$original_uri ) return parsed_req;; local uri_prefix: string = get_uri_prefix(http$original_uri); + http$uri_prefix = uri_prefix; local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) @@ -282,7 +286,10 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request ocsp_req_str = http$uri[|s|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) + { + http$uri_prefix = s; break; + } } } return parsed_req; diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 69bffb19ed..69bdfb8548 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -357,13 +357,14 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) else ocsp$ocsp_uri = http$uri; - if ( http?$method && http$method == "GET" && http?$original_uri ) + if ( http?$method && http$method == "GET" && http?$uri_prefix ) { - local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri); + if ( |http$uri_prefix| > 0) + ocsp$ocsp_uri = ""; if ( http?$host ) ocsp$ocsp_uri = http$host; - if ( |uri_prefix| > 0) - ocsp$ocsp_uri += "/" + uri_prefix; + if ( |http$uri_prefix| > 0) + ocsp$ocsp_uri += http$uri_prefix; } if ( ocsp?$ocsp_uri ) From b4fce308f0bef06c73152fd192a00d961a0351af Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Sat, 18 Jul 2015 19:36:47 -0700 Subject: [PATCH 031/147] minor change to deal with empty request --- scripts/base/files/ocsp/main.bro | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 80fd356f29..5c01951a66 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -212,15 +212,15 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t Queue::put(http$ocsp_requests[cert_id], req_rec); } } - else + else if ( req?$version ) { - # no request content? this is weird but log it anyway + # it's ocsp request but has no request content + # this is weird but log it anyway local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, $cuid = http$uid, - $id = req_id]; - if (req?$version) - req_rec_empty$version = req$version; + $id = req_id, + $version = req$version]; if (req?$requestorName) req_rec_empty$requestorName = req$requestorName; update_http_info(http, req_rec_empty); From fa654121ec5f77b75329c56884633f85a0df6446 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 20 Jul 2015 15:46:21 -0700 Subject: [PATCH 032/147] fix url parsing bug --- scripts/base/files/ocsp/main.bro | 4 ++-- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 5c01951a66..1ae854b991 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -277,12 +277,12 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) { - # normal parse fails, bug url, natively try each part + # normal parse fails, bug url, naively try each part local w = split_string(http$original_uri, /\//); local s = ""; for ( i in w ) { - s += "/" + w[i]; + s += w[i] + "/"; ocsp_req_str = http$uri[|s|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 69bdfb8548..e8318e145e 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -78,7 +78,10 @@ export { num_ocsp: count &log &optional; ## the original_uri in HTTP request - original_uri: string &log &optional; + original_uri: string &log &optional; + + ## host in HTTP request + host: string &log &optional; }; type Issuer_Name_Type: record { @@ -349,13 +352,21 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) ocsp$original_uri = http$original_uri; if ( http?$host ) + { + ocsp$host = http$host; ocsp$ocsp_uri = http$host; + } if ( http?$uri ) + { + local uri_str = http$uri; + if ( http$uri == "http://" + http$host ) + uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri += http$uri; + ocsp$ocsp_uri += uri_str; else - ocsp$ocsp_uri = http$uri; + ocsp$ocsp_uri = uri_str; + } if ( http?$method && http$method == "GET" && http?$uri_prefix ) { From 5f2cb840d7e7d01327a390771a3738db9cde1acb Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Mon, 20 Jul 2015 16:55:19 -0700 Subject: [PATCH 033/147] add user_agent to ocsp-to-match log --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index e8318e145e..38587496a4 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -82,6 +82,9 @@ export { ## host in HTTP request host: string &log &optional; + + ## user_agent + user_agent: string &log &optional; }; type Issuer_Name_Type: record { @@ -348,6 +351,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$method ) ocsp$method = http$method; + if ( http?$user_agent ) + ocsp$user_agent = http$user_agent; + if ( http?$original_uri ) ocsp$original_uri = http$original_uri; From 462f6608a8659a6cfbfb9ea6974a0589de6ad1f5 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 21 Jul 2015 14:44:33 -0700 Subject: [PATCH 034/147] log the time for server first encrypted application data --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 38587496a4..76b244cfe5 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -120,8 +120,11 @@ export { ## the time when SSL connection is established establish_ts: time &log &optional; - ## the time for the first encrypted application data + ## the time for the first encrypted client application data client_first_encrypt_ts: time &log &optional; + + ## the time for the first encrypted server application data + server_first_encrypt_ts: time &log &optional; ## the time when event connection_state_remove happens end_ts: time &log &optional; @@ -185,8 +188,11 @@ redef record SSL::Info += { ## name hash(string) cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; - ## the time for the first encrypted application data + ## the time for the first encrypted client application data client_first_encrypt_ts: time &optional; + + ## the time for the first encrypted server application data + server_first_encrypt_ts: time &optional; }; # remove the last '/' @@ -279,8 +285,13 @@ event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, leng if ( ! c?$ssl ) return; - if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts ) - c$ssl$client_first_encrypt_ts = network_time(); + if ( content_type == SSL::APPLICATION_DATA && length > 0 ) + { + if ( is_orig && ! c$ssl?$client_first_encrypt_ts ) + c$ssl$client_first_encrypt_ts = network_time(); + else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts ) + c$ssl$server_first_encrypt_ts = network_time(); + } } # extract the full ocsp uri from certificate extension @@ -450,6 +461,9 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) if ( ssl?$client_first_encrypt_ts ) ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; + if ( ssl?$server_first_encrypt_ts ) + ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts; + if ( ssl?$server_hello_ts ) ssl_rec$server_hello_ts = ssl$server_hello_ts; From cea1b62a9a13fba851c2dcc9ca09a0eb12ae4dc2 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 21 Jul 2015 23:38:56 -0700 Subject: [PATCH 035/147] small bug fix --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 76b244cfe5..853f4d65b1 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -377,7 +377,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$uri ) { local uri_str = http$uri; - if ( http$uri == "http://" + http$host ) + if ( http?$host && http$uri == "http://" + http$host ) uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri += uri_str; From 49c570593a817d398108e5be3d27b60c64c0b3ba Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Thu, 23 Jul 2015 15:46:23 -0700 Subject: [PATCH 036/147] check value before assign --- scripts/base/files/ocsp/main.bro | 150 +++++++++++++++++++++---------- scripts/base/init-bare.bro | 8 +- 2 files changed, 107 insertions(+), 51 deletions(-) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1ae854b991..1362330cf1 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -58,15 +58,15 @@ export { ## connection uid cuid: string &optional; ## responseStatus (different from cert status?) - responseStatus: string &log; + responseStatus: string &log &optional; ## responseType - responseType: string &log; + responseType: string &log &optional; ## version - version: count &log; + version: count &log &optional; ## responderID - responderID: string &log; + responderID: string &log &optional; ## producedAt - producedAt: string &log; + producedAt: string &log &optional; ## NOTE: the following are specific to one cert id ## the above are for one file which may contain @@ -176,6 +176,33 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) req_rec$method = http$method; } +function update_request_info(rec: Info_req, req: OCSP::Request) + { + if ( req?$version ) + rec$version = req$version; + + if ( req?$requestorName ) + rec$requestorName = req$requestorName; + } + +function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId + { + local cert_id: OCSP::CertId = []; + if ( one_req?$hashAlgorithm ) + cert_id$hashAlgorithm = one_req$hashAlgorithm; + + if ( one_req?$issuerNameHash ) + cert_id$issuerNameHash = one_req$issuerNameHash; + + if ( one_req?$issuerKeyHash ) + cert_id$issuerKeyHash = one_req$issuerKeyHash; + + if ( one_req?$serialNumber ) + cert_id$serialNumber = one_req$serialNumber; + + return cert_id; + } + function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) { local index: count = 0; @@ -185,22 +212,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t for (x in req$requestList) { local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; + local cert_id: OCSP::CertId = cert_id_from_request(one_req); local req_rec: OCSP::Info_req = [$ts = req_ts, $certId = cert_id, $cid = http$id, $cuid = http$uid, $index = index, $id = req_id]; - - if ( req?$version ) - req_rec$version = req$version; - - if ( req?$requestorName ) - req_rec$requestorName = req$requestorName; + update_request_info(req_rec, req); if ( ! http?$ocsp_requests ) http$ocsp_requests = table(); @@ -219,10 +238,8 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t local req_rec_empty: OCSP::Info_req = [$ts = req_ts, $cid = http$id, $cuid = http$uid, - $id = req_id, - $version = req$version]; - if (req?$requestorName) - req_rec_empty$requestorName = req$requestorName; + $id = req_id]; + update_request_info(req_rec_empty, req); update_http_info(http, req_rec_empty); Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } @@ -295,6 +312,60 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request return parsed_req; } +function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp) + { + if ( single_resp?$certStatus ) + rec$certStatus = single_resp$certStatus; + + if ( single_resp?$thisUpdate ) + rec$thisUpdate = single_resp$thisUpdate; + + if ( single_resp?$nextUpdate ) + rec$nextUpdate = single_resp$nextUpdate; + } + +function update_response_info(rec: Info_resp, resp: OCSP::Response) + { + if ( resp?$responseStatus ) + rec$responseStatus = resp$responseStatus; + + if ( resp?$responseType ) + rec$responseType = resp$responseType; + + if ( resp?$version ) + rec$version = resp$version; + + if ( resp?$responderID ) + rec$responderID = resp$responderID; + + if ( resp?$producedAt ) + rec$producedAt = resp$producedAt; + } + +function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) + { + update_response_info(rec, resp); + update_response_info_single(rec, single_resp); + } + +function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId + { + local cert_id: OCSP::CertId = []; + if ( single_resp?$hashAlgorithm ) + cert_id$hashAlgorithm = single_resp$hashAlgorithm; + + if ( single_resp?$issuerNameHash ) + cert_id$issuerNameHash = single_resp$issuerNameHash; + + if ( single_resp?$issuerKeyHash ) + cert_id$issuerKeyHash = single_resp$issuerKeyHash; + + if ( single_resp?$serialNumber ) + cert_id$serialNumber = single_resp$serialNumber; + + return cert_id; + } + event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 { if ( ! f?$http ) @@ -307,25 +378,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { index += 1; local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - local resp_rec: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $index = index, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; + local cert_id: OCSP::CertId = cert_id_from_response(single_resp); + local resp_rec: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid, + $index = index, + $certId = cert_id]; + update_response_info_with_single(resp_rec, resp, single_resp); if ( ! f$http?$ocsp_responses ) f$http$ocsp_responses = table(); @@ -339,15 +399,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo else { # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt]; + local resp_rec_empty: Info_resp = [$ts = network_time(), + $id = f$id, + $cid = f$http$id, + $cuid = f$http$uid]; + update_response_info(resp_rec_empty, resp); local info_rec: Info = [$ts = resp_rec_empty$ts, $resp_ts = resp_rec_empty$ts, $resp = resp_rec_empty, diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 6ec756c28e..61fd2b5094 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2998,10 +2998,10 @@ export { signature: string &optional; #&log; }; type CertId: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; + hashAlgorithm: string &log &optional; + issuerNameHash: string &log &optional; + issuerKeyHash: string &log &optional; + serialNumber: string &log &optional; }; } From 5d168792ee82b79e1419d475e94f5ac952b74357 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 28 Jul 2015 16:20:38 -0700 Subject: [PATCH 037/147] deal with bug url --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 44 ++++++++++++++++--- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 853f4d65b1..7f743e6594 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -355,6 +355,28 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); } +function clean_bug_host(host: string): string + { + local s: string = host; + s = clean_uri(s); + if ( s[0:7] == "http://" ) + s = s[7:]; + return s; + } + +function clean_bug_uri(uri: string, host: string): string + { + local s: string = uri; + s = clean_uri(s); + if ( s[0:7] == "http://" ) + s = s[7:]; + + if ( |host| > 0 && s[0:|host|] == host ) + s = s[|host|:]; + + return s; + } + function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { ocsp$num_ocsp = http$conn$num_ocsp; @@ -368,17 +390,27 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( http?$original_uri ) ocsp$original_uri = http$original_uri; + local host_str: string = ""; + if ( http?$host ) + host_str = clean_bug_host(http$host); + + local uri_str: string = ""; + if ( http?$uri) + { + if (http?$host) + uri_str = clean_bug_uri(http$uri, host_str); + else + uri_str = clean_bug_uri(http$uri, ""); + } + if ( http?$host ) { - ocsp$host = http$host; - ocsp$ocsp_uri = http$host; + ocsp$host = host_str; + ocsp$ocsp_uri = host_str; } if ( http?$uri ) { - local uri_str = http$uri; - if ( http?$host && http$uri == "http://" + http$host ) - uri_str = "/"; #deal with software bug: make the full url empty if ( ocsp?$ocsp_uri ) ocsp$ocsp_uri += uri_str; else @@ -390,7 +422,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) if ( |http$uri_prefix| > 0) ocsp$ocsp_uri = ""; if ( http?$host ) - ocsp$ocsp_uri = http$host; + ocsp$ocsp_uri = host_str; if ( |http$uri_prefix| > 0) ocsp$ocsp_uri += http$uri_prefix; } From 61f7276c80c5ace581f3e040af04c5f876dcb105 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 31 Jul 2015 13:39:25 -0700 Subject: [PATCH 038/147] parse revocation time and reason in ocsp response --- src/file_analysis/analyzer/ocsp/OCSP.cc | 30 ++++++++++++++++-- .../ocsp.log | 13 ++++++++ testing/btest/Traces/tls/ocsp-revoked.pcap | Bin 0 -> 12864 bytes .../base/protocols/ssl/ocsp-revoked.test | 4 +++ 4 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log create mode 100644 testing/btest/Traces/tls/ocsp-revoked.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index d0b1a62f90..df0dbc5599 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -411,7 +411,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) OCSP_BASICRESP *basic_resp = NULL; OCSP_RESPDATA *resp_data = NULL; OCSP_RESPID *resp_id = NULL; - OCSP_SINGLERESP *single_resp = NULL; + OCSP_SINGLERESP *single_resp = NULL; + OCSP_REVOKEDINFO *revoked_info = NULL; //OCSP_CERTSTATUS *cst = NULL; //OCSP_REVOKEDINFO *rev = NULL; @@ -495,8 +496,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_fill_cert_id(cert_id, single_resp_bro); //certStatus - const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); - single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); + string revoke_reason = ""; + string revoke_time = ""; + + //add revocation time and reason if it is revoked + if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + { + revoked_info = single_resp->certStatus->value.revoked; + len = -1; + len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); + if (len > 0) + revoke_time.assign((const char *)buf, len); + + if (revoked_info->revocationReason) + { + long l = ASN1_ENUMERATED_get(revoked_info->revocationReason); + revoke_reason = OCSP_crl_reason_str(l); + } + } + if (revoke_time.length() > 0) + cert_status_str += " " + revoke_time; + if (revoke_reason.length() > 0) + cert_status_str += " " + revoke_reason; + + single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str())); //thisUpdate len = -1; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log new file mode 100644 index 0000000000..8876f251e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ocsp +#open 2015-07-31-20-35-18 +#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method +#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string +1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CXWv6p3arKYeMETxOg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707162834Z 1 revoked 20150514145849Z superseded 20150707162834Z 20150929011242Z POST +1438374032.650255 192.168.6.109 41813 23.5.251.27 80 CjhGID4nQcgTWjvg4c sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707212334Z 1 revoked 20150127203801Z unspecified 20150707212334Z 20150930071359Z POST +1438374032.759133 192.168.6.109 41814 23.5.251.27 80 CCvvfg3TEfuqmmG4bh sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707030344Z 1 revoked 20150528055348Z (UNKNOWN) 20150707030344Z 20150928205739Z POST +1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CsRx2w45OKnoww6xl4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150708020344Z 1 revoked 20150117113259Z keyCompromise 20150708020344Z 20150928165507Z POST +#close 2015-07-31-20-35-18 diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a2cd4509ad0a13b4636fc54488c2b76f452344c4 GIT binary patch literal 12864 zcmeI2dpuO>AIHxb<2I5@g}*Ou?n%k@S)gVPt~!;7;?eD%l{1R;^-kB~`96y(i>m+(9)C#ML>XPd?3US=;J zkd=^02;zj;Dy)cyR7giWbGz(b1oex(m2K3gG^sDnJ3_U%BT z=Ugvu%m#Dw_V%=)TH~q|=LnvF!xLC}uZrZbFm_~Q7&nM5;70IlB7&kKt@xak(VQrO z_&N^`ZSZK1{dJ7@mcsxTvSzUQy9Qm$k@z`c-pLnytnZsaYwxLR*SWAr}BTEU6V&yuCQ7jKm zUmTsFjy5Ts?TrkG^Hnf{?;!EzbYYnicF#o+H`q-AJGJZ#J(V7 zG#tm~&Qhg#ariMDJ`3Y5d**99~dFFqgNCg#~hXZ2l_nL3U6m#|jQKKO&5Ug|p+V*vmMRnN%v1O2;j+$ml>Y z=$05S!m5`N!4J2@!lR=EVEAL$VccN00Nme$4NlAk><}&|n1y*qb1X4C%sn~`JRg;b zQEgc?dlsF6xz6@hrOb$n2WS@N!sl9IbgCFe z!&%^){_!FpoyQ4+Ny);3!XjWWK;{V*=7KqqEmUv=KTa3t3rZF$Fu^G*o_H)ri#)Q^ z$UmKTxNT~;(tG3ftit2j40m-MHK-Z4!|kZHGp7Yu3$!ve`8lp~D5XA)H*VG;<;{upa{2@NrT*>H18&I{w~X_O4%k)gU67qEBrnB< zWIu2$!i929*>WV5L{c|pG-T8-e{??j)i<-bD<4knA37Cz1dpYvfWjm;Rs?Q_$#PpxCy*K zZiJ!e0_QMxR1`+XW-P$GygV@HshAb!O2@}&s}c!jixXcy@K-91GiY?C1Jl6=cc9wg z%wCrDKd`X5&R(9_JPs@b!5ls=M921jOq9qFH3XcekYK93PjlR{F}9d~ttup~V3IJ& z<2Tba%JWv{#%o?ZQiJk+(-5tvx)Z~C9tgjx`}OGNsbwL%+P}MTaKxrDB}iWMwKD4$ zNu#u;P>UaU$K6yl&fImUqTTn;QuVW`O7#t!9kf!e+rK)R(i)+?Gn3uspPH(5#rPKG zyx9|)!W+kPN_xeShm*H_FXRO#mH19PmAb?H;*stJ=hJvP1-nxg8}PfCN4J)G-g{Pf zp;@ln(fxJK{5QoLOkSUFo!afTgO(7-k0$U3-Ig3NW0$UKALH)v2o&uh zlW+v*!QU|QGMs}4DX1(>azm5e%s>^j<#2D1p-R0=CkfTk4HXC?SvEGYv9Z=sAmgJ2 zq1HhW;Wj~$QMkG2IubrcS0BSZaV6QGn{_?$);fC^u zlG+cgW=tu}%1>?Po_y`{YTV`JyorUnV^)g-8?3t+h+A7 zmj-(6{4MhgbwVp_JuHM~TU;#HtzFA6|6BWR#{FSucO+%`WOjvUk#FA5Xnf#pcgc9H z@Vj}9hB+e**>|j4FEh>@o9kk6boi24FZQ{ckW$C5IB;oo{EM;MdkRi2pKWE8zqfq6 zzG~~T#-?=n$h|Nl^Fc-q(h~X-Eg@}S1GhN3qpH*nw1n^E()t=Wb8mW`2?mLG2PgUw zM5;9LY%FMe)X|C3M3ReGqvWhX7+ESrE46yytT`J?%o+`}2{}D*)lKKo{jWt6xi8AgAo@ZwgG?`3(xl%47pY@St_2g495KSH9t`ST?HD9N>IQ0tP2?P zS&-gmFnECc>1^tXCp4=`XjTDq8Z;QRm7=)DLo$qlTAT792BT{|BywD25`n?E&^nO# zB^r#$j59YGTT8|naE)U&U)dznU`)?=rrP5uARoM?=j3-pt^`JAiyTE1YpGFWoC<;& zcW7+CjDw>{1EW|AGY-!YW!zU_1mhubu7wKH0t^N`B#H8Mr-C6duYV2?AR7NAB4$G3 zmu@gb73;UAjK-;j8G9AXY`$ z*1)}^UsrDRyrrFctbk=YivyE&+X8k6&D^59d%jnaNf8T9e$Vs^a^Zms8*9!@-&_!M8TBz$S9-~J(kF=R0Q$zc3TI{+*H22lBDfpr}o zl9it{`4k6M{(S9$Yf1K>#99J;iLS1w^6!F`f5>1A84QuZC4P0&e zn(RM8OW0-MCTifSK}(nkllAf7#6*HPOq!VU5HvoT6HEsXcR`|q<)9jc1W`pMQ3DW7 zq>113BT7yvgmEf_XwD1=PNO2?aGC>PM8eEL|H2jT8xu*W1_RG!jp3 zEUl3?L;Tb-G%h1Fj*-yV2sB=Y4Wt>^_<*|sU{v;iNnZ^$E?=WEh-HZ`f*M<|iZm`j zJTGkz@PgI^S{Cvgv9SQeMtHu@vNUcJlcluEvMdWa^i017bZ=-`E^ii-f!<PkuLC(y=1F`-k=GQ`Tj;S-{A=KPZm1)F?90i7?}q z&+3I$vu(T5j;zbW-qoZV6TH|$D)5JmIbHdbjIh{6OqVbk!4}h>~SWO z&afvei?Z0Ve7v*Rve4{lIMa?U+p_#>I_vuyIlXd9c%I`{v!hcJ0zLBfKW}s1m-B1B zX0CG`SFMI_JbiTA^<|@8#)ndFU!9}&ROL$2!HpqaRZpAVZ66zer#s$eous8we1|97 zPX4YZI~8L}+@WLaPd-waB)5cm#wNG=K_ z0Xi9$@KEJ}CET);SQMc5*f6k!|4S1zWLbtRi^#I<2O0Tk%Mx8eG;p;8Tf(LK9eS3X za8G1{s3o+RPOmf7fI0qnaN-GqSR+leu?3Bfx@k^dOK35pk2vwgpc+pS#A`B%Uy*l{9#=8+em0u0Q4$oS?XOyaSecE7=^ch_-V^h6ab0)LSzzwW%2(QSD=v~ zeudCK(()W>RS+uTP-1~>&gB{72lr9#YJ(&d~3AjN(<8aesk*H)xVUoWU-OML-%L?oC9HM<9dXAxV_K#m$Dq_tRt&!FuN( zB_cLM;umjO?3pw>=D*!#A+}HK#cy8WwExbsfY-g4OcrkU-|Vu`doTJwzQ$#bgDsHH zVp$}zSY%nKR68n_P6L}K@HH+}WLf&|+~2ZLZJFTRGMT$9iTMT-+9)mY<|9US#QA6X zkpqQ-%onQ+&tABh>1lS=z3koL4WlfVhyP$76ZqW8@@~uU?Lo#e3U~tJU2CKKw8E4e{M zkX%Mc)3`swWu)ikz-2_hCl)5KjGTTZT1KA0Wn}2ZF!(y_(2HTcFNVSVA^~F!vlSka z`GqjJIYi^rI559r5{Uc)cA(a3V17ZOQ9q)LIlw07fTcu}3Fbgd0%)Z)Yl8>OfhUm2 z9-J6R5G`a76Txd-nzd{Zu^Y@Pf>`p?piiAkJoQ6~r%nV<4O(losb-Vtsh@#a)%_o| C*fs0` literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test new file mode 100644 index 0000000000..3b3bf0a61b --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -0,0 +1,4 @@ +# This tests a OCSP request missing response + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT +# @TEST-EXEC: btest-diff ocsp.log From 1abd41c413e054bb21b7343d94c1621b48fa7cbc Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Fri, 31 Jul 2015 13:50:48 -0700 Subject: [PATCH 039/147] copy paste error --- testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index 3b3bf0a61b..1125484cdf 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -1,4 +1,4 @@ -# This tests a OCSP request missing response +# This tests OCSP response with revocation # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log From ce47024dd966dae8a59e3ec775ce89291c06cebf Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 16:00:55 -0700 Subject: [PATCH 040/147] simplify some code --- src/file_analysis/analyzer/ocsp/OCSP.cc | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index df0dbc5599..340838eb1a 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -413,9 +413,7 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) OCSP_RESPID *resp_id = NULL; OCSP_SINGLERESP *single_resp = NULL; OCSP_REVOKEDINFO *revoked_info = NULL; - - //OCSP_CERTSTATUS *cst = NULL; - //OCSP_REVOKEDINFO *rev = NULL; + OCSP_CERTSTATUS *cert_status = NULL; RecordVal *ocsp_resp_record = NULL; VectorVal *all_resp_bro = NULL; @@ -496,24 +494,22 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) ocsp_fill_cert_id(cert_id, single_resp_bro); //certStatus - string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); - string revoke_reason = ""; - string revoke_time = ""; + cert_status = single_resp->certStatus; + std::string cert_status_str = OCSP_cert_status_str(cert_status->type); + std::string revoke_reason = ""; + std::string revoke_time = ""; //add revocation time and reason if it is revoked - if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) + if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED) { - revoked_info = single_resp->certStatus->value.revoked; + revoked_info = cert_status->value.revoked; len = -1; len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); if (len > 0) revoke_time.assign((const char *)buf, len); if (revoked_info->revocationReason) - { - long l = ASN1_ENUMERATED_get(revoked_info->revocationReason); - revoke_reason = OCSP_crl_reason_str(l); - } + revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); } if (revoke_time.length() > 0) cert_status_str += " " + revoke_time; From 1989f34a0af7b9a10a2ea8e2f05c8b65e7c89795 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 19:35:43 -0700 Subject: [PATCH 041/147] add parsing certificates in OCSP responses --- scripts/base/init-bare.bro | 1 + src/file_analysis/analyzer/ocsp/OCSP.cc | 26 ++++++++++++++++++- .../.stdout | 1 + .../protocols/ssl/ocsp-response-cert.test | 15 +++++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 0a07685fa5..11e5232d95 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3003,6 +3003,7 @@ export { #responseExtensions:xxx signatureAlgorithm: string &log &optional; signature: string &optional; #&log; + certs: vector of opaque of x509 &optional; }; type CertId: record { hashAlgorithm: string &log &optional; diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index 340838eb1a..d54f1f345b 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -15,6 +15,16 @@ #include #include +// helper function of sk_X509_value to avoid namespace problem +// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) +// X509 => file_analysis::X509 +X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) + { + return sk_X509_value(certs, i); + } + +#include "file_analysis/analyzer/x509/X509.h" + using namespace file_analysis; IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); @@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) { if (resp_val == NULL) return NULL; - OCSP_RESPONSE *resp = NULL; OCSP_RESPBYTES *resp_bytes = NULL; OCSP_CERTID *cert_id = NULL; @@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) if (len > 0) ocsp_resp_record->Assign(7, new StringVal(len, buf)); } + //certs + if (basic_resp->certs) + { + VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + int num_certs = sk_X509_num(basic_resp->certs); + for (i=0; icerts, i)); + //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i)); + if (this_cert) + certs_vector->Assign(i, new file_analysis::X509Val(this_cert)); + else + reporter->Weird("OpenSSL returned null certificate"); + } + ocsp_resp_record->Assign(8, certs_vector); + } clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout new file mode 100644 index 0000000000..b6a95f4f0c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout @@ -0,0 +1 @@ +[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test new file mode 100644 index 0000000000..5ed2bf3253 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test @@ -0,0 +1,15 @@ +# This tests OCSP response containing a certificate + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) +{ +if (resp?$certs) + { + for (x in resp$certs) + { + print x509_parse(resp$certs[x]); + } + } +} \ No newline at end of file From d45558d2a18dce0b1aafe592beaaef226c896577 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Tue, 18 Aug 2015 21:44:52 -0700 Subject: [PATCH 042/147] log the number of certs in OCSP response --- scripts/base/files/ocsp/main.bro | 5 +++++ scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro index 1362330cf1..3474e3a797 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/ocsp/main.bro @@ -67,6 +67,8 @@ export { responderID: string &log &optional; ## producedAt producedAt: string &log &optional; + ## certificates + certs: vector of opaque of x509 &optional; ## NOTE: the following are specific to one cert id ## the above are for one file which may contain @@ -340,6 +342,9 @@ function update_response_info(rec: Info_resp, resp: OCSP::Response) if ( resp?$producedAt ) rec$producedAt = resp$producedAt; + + if ( resp?$certs ) + rec$certs = resp$certs; } function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 7f743e6594..0efad933c9 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -85,6 +85,9 @@ export { ## user_agent user_agent: string &log &optional; + + ## number of certificates in response + resp_certs_num: count &log &default=0; }; type Issuer_Name_Type: record { @@ -466,6 +469,8 @@ function start_log_ocsp(rec: OCSP::Info) { info_ocsp_rec$resp = rec$resp; info_ocsp_rec$resp_ts = rec$resp$ts; + if ( rec$resp?$certs ) + info_ocsp_rec$resp_certs_num = |rec$resp$certs|; } if ( rec?$req && rec?$resp ) From cdc812074c9994fba5c91c418d12ddd6494284f2 Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 19 Aug 2015 11:38:34 -0700 Subject: [PATCH 043/147] fix data structure recursion --- .../policy/protocols/ssl/ocsp-ssl-split.bro | 39 +++++++++++++------ 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 0efad933c9..8f10745066 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -163,8 +163,11 @@ redef record HTTP::Info += { request_header_len: count &optional &default=0; response_header_len: count &optional &default=0; - ## connection used to get num_ocsp and connection start time - conn: connection &optional; + ## number of OCSP requests so far, copied from connection + num_ocsp: count &optional; + + ## connection start time, copied from connection + conn_start_ts: time &optional; }; # add additional information to ssl info @@ -215,32 +218,44 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo { if ( ! f?$http ) return; - # check if there is a OCSP GET request + + # get connection id TODO:TOCHECK + local cid: conn_id; + for ( id in f$conns ) + cid = id; + + # check if there is a OCSP GET request if ( f$http?$method && f$http$method == "GET" ) - f$http$conn$num_ocsp += 1; + f$conns[cid]$num_ocsp += 1; } event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) { if ( ! f?$http ) return; - f$http$conn$num_ocsp += 1; + + # get connection id TODO:TOCHECK + local cid: conn_id; + for ( id in f$conns ) + cid = id; + + f$conns[cid]$num_ocsp += 1; } event http_reply (c: connection, version: string, code: count, reason: string) { if ( ! c?$http ) return; - if ( ! c$http?$conn ) - c$http$conn = c; + if ( ! c$http?$conn_start_ts ) + c$http$conn_start_ts = c$start_time; } event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { if ( ! c?$http ) return; - if ( ! c$http?$conn ) - c$http$conn = c; + if ( ! c$http?$conn_start_ts ) + c$http$conn_start_ts = c$start_time; } # record the header length @@ -252,6 +267,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) c$http$request_header_len = stat$header_length; else c$http$response_header_len = stat$header_length; + c$http$num_ocsp = c$num_ocsp; } # add server hello time @@ -382,7 +398,8 @@ function clean_bug_uri(uri: string, host: string): string function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) { - ocsp$num_ocsp = http$conn$num_ocsp; + if ( http?$num_ocsp ) + ocsp$num_ocsp = http$num_ocsp; if ( http?$method ) ocsp$method = http$method; @@ -454,7 +471,7 @@ function start_log_ocsp(rec: OCSP::Info) local http: HTTP::Info = rec$http; local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, $cuid = http$uid, - $conn_start_ts = http$conn$start_time]; + $conn_start_ts = http$conn_start_ts]; if ( rec?$certId ) info_ocsp_rec$cert_id = rec$certId; From c93a9fbebdab2386c16b49af0e0c88381eaaf69a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 8 Dec 2015 14:55:50 -0800 Subject: [PATCH 044/147] Log only local-originated IPs. --- scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro index 8f10745066..33085f79db 100644 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro @@ -494,6 +494,10 @@ function start_log_ocsp(rec: OCSP::Info) info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; update_http_info(info_ocsp_rec, http); + + if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) ) + return; + Log::write(LOG_OCSP, info_ocsp_rec); } @@ -564,6 +568,10 @@ event connection_state_remove(c: connection) &priority= -20 if (|cert_recv_ts_str| > 0) ssl_info_rec$cert_recv_ts = cert_recv_ts_str; update_ssl_info(ssl_info_rec, c$ssl); + + if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) ) + return; + Log::write(LOG_SSL, ssl_info_rec); #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; } From d92fd52b35a907924e85a7413d37ae9393a18394 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 14 Dec 2015 16:06:31 -0800 Subject: [PATCH 045/147] Remove measurement scripts --- .../policy/protocols/ssl/ocsp-measurement.bro | 481 -------------- .../policy/protocols/ssl/ocsp-ssl-split.bro | 585 ------------------ 2 files changed, 1066 deletions(-) delete mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro delete mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro deleted file mode 100644 index b883a36fdc..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-measurement.bro +++ /dev/null @@ -1,481 +0,0 @@ -#! Match OCSP request and response to SSL connection for performance analysis - -@load base/protocols/http -@load base/frameworks/files -@load base/files/x509 -@load base/protocols/ssl -@load base/utils/queue - -module OCSP_MEASUREMENT; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - ## cert id for the OCSP request - cert_id: OCSP::CertId &log &optional; - - ## request timestamp - req_ts: time &log &optional; - - ## request - ## NOTE: this is only one request if multiple requests - ## are sent together in one HTTP message, they will be - ## logged separately - req: OCSP::Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - ## NOTE: similar to request, if multiple responses are - ## sent together in one HTTP message, they will be - ## logged separately - resp: OCSP::Info_resp &log &optional; - - ## HTTP connection uid - cuid: string &log; - - ## HTTP connection start time - conn_start_ts: time &log; - - ## for 1st request, this is the time between first TCP - ## SYN and resp_ts; for the rest of the requests in - ## the same connection, this is the time btween req_ts - ## and resp_ts - delay: interval &log &optional; - - ## the size of HTTP request body - req_size: count &log &optional; - - ## the size of HTTP request header - req_hdr_size: count &log &optional; - - ## the size of HTTP response body - resp_size: count &log &optional; - - ## the size of HTTP response header - resp_hdr_size: count &log &optional; - - ## the HTTP code in the HTTP response - http_code: count &log &optional; - - ## OCSP host, this is host in HTTP request - host: string &log; - - ## OCSP uri, this is uri in HTTP request - uri: string &log; - - ## number of HTTP request containing ocsp requests in - ## this connection including this one; this may be - ## different from number of OCSP requests since one - ## HTTP request may contain several OCSP requests - num_ocsp: count &log &optional; - - ## the time when the corresponding certificate is - ## received - cert_recv_ts: time &log &optional; - - ## SSL connection uid - ssl_cuid: string &log &optional; - - ## SSL connection id - ssl_cid: conn_id &optional; - - ## the time when client receives change cipher message - ## from server - ssl_change_cipher_ts: time &log &optional; - - ## the time when SSL connection is established - ssl_establish_ts: time &log &optional; - - ## the time when event connection_state_remove happens - ssl_end_ts: time &log &optional; - }; - - ## a group of constant string for hash algorithm - ## to save memory, remove any unseen hash algorithm - global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512"); - - ## Event from a worker to the manager that it has encountered - ## an OCSP response - global new_ocsp_info: event(c: connection) &redef; - - ## Event from the manager to the workers that a new OCSP info - ## is to be added. - global ocsp_info_add: event(c: connection); -} - -## - map to OCSP_MEASUREMENT::Info -## - indexed by hash algorithm(string), source ip(addr), ocsp -## uri(string), issuer name hash(string), serialNumber(string) -## - is it possible server sends two same certificate? To be -## safe, let's use a queue to store OCSP_MEASUREMENT::Info -global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins; - -# track number of ocsp requests in this connection -redef record connection += { - num_ocsp: count &optional &default=0; - }; - -# add additional information to http info -redef record HTTP::Info += { - ## header length - request_header_len: count &optional &default=0; - response_header_len: count &optional &default=0; - - ## OCSP file id - ocsp_request_fuid: string &optional; - ocsp_response_fuid: string &optional; - - ## OCSP request and response timestamp - ocsp_request_ts: time &optional; - ocsp_response_ts: time &optional; - - ## store OCSP requests and responses - ocsp_request: OCSP::Request &optional; - ocsp_response: OCSP::Response &optional; -}; - -# add additional information to ssl info -redef record SSL::Info += { - ## connection start time - connection_start_ts: time &optional; - - ## client hello time - client_hello_ts: time &optional; - - ## ssl connection establish time - ssl_establish_ts: time &optional; - - ## the time when server sends change-cipher-spec - change_cipher_ts: time &optional; - - ## - the time when a cert is received AND the cert has ocsp - ## extension - ## - the 2nd level table indexed by source ip(addr), ocsp - ## uri(string), issuer name hash(string), serialNumber - ## (string) - ## - the 1st level table indexed by different hash algorithm - ## for issuer name hash - ## - is it possible a server sends two same certificate? To be - ## safe, let's use a queue to store the time - cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional; -}; - -# set up cluster event -@if ( Cluster::is_enabled() ) -@load base/frameworks/cluster -redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/; -redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/; -@endif - -# get all the requests in one HTTP request -function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue - { - local pending_requests: table[OCSP::CertId] of Queue::Queue = table(); - if ( http?$ocsp_request && http$ocsp_request?$requestList ) - { - local req = http$ocsp_request; - for (x in req$requestList) - { - local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = one_req$hashAlgorithm, - $issuerNameHash = one_req$issuerNameHash, - $issuerKeyHash = one_req$issuerKeyHash, - $serialNumber = one_req$serialNumber]; - - local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id]; - - if (req?$version) - req_rec$version = req$version; - - if (req?$requestorName) - req_rec$requestorName = req$requestorName; - - if (cert_id !in pending_requests) - pending_requests[cert_id] = Queue::init(); - - Queue::put(pending_requests[cert_id], req_rec); - } - } - return pending_requests; - } - -# remove the last '/' -function clean_uri(s: string): string - { - local s_len = |s|; - s_len -= 1; - if (s[-1] == "/") - return clean_uri(s[0:s_len]); - else - return s; - } - -# fill in OCSP/HTTP information -function fill_ocsp_info(c: connection) - { - local http: HTTP::Info = c$http; - - # get all the requests which will be matched to response later - local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http); - - # get all the responses and match them to the requests - if ( http?$ocsp_response && http$ocsp_response?$responses ) - { - local resp = http$ocsp_response; - for (x in resp$responses) - { - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, - $id = http$ocsp_response_fuid, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $certId = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; - - local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, - $cuid = http$uid, - $conn_start_ts = c$start_time, - $host = http$host, - $uri = http$uri, - $resp_ts = resp_rec$ts, - $resp = resp_rec, - $req_size = http$request_body_len, - $req_hdr_size = http$request_header_len, - $resp_size = http$response_body_len, - $resp_hdr_size = http$response_header_len, - $http_code = http$status_code]; - if (cert_id in pending_requests) - { - # find a match - local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); - ocsp_info$req = req_rec; - ocsp_info$req_ts = req_rec$ts; - ocsp_info$num_ocsp = c$num_ocsp; - - if (c$num_ocsp == 1) - ocsp_info$delay = ocsp_info$resp$ts - c$start_time; - else - ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; - - if (Queue::len(pending_requests[cert_id]) == 0) - delete pending_requests[cert_id]; #if queue is empty, delete it? - } - - # add to ocsp map - local full_uri: string = clean_uri(http$host + http$uri); - local h = cert_id$hashAlgorithm; - local src_ip: addr = c$id$orig_h; - - if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map ) - ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); - - Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); - } - - } - } - -# work event -@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) -event OCSP_MEASUREMENT::ocsp_info_add(c: connection) - { - fill_ocsp_info(c); - } -@endif - -# manager event -@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) -event OCSP_MEASUREMENT::new_ocsp_info(c: connection) - { - event OCSP_MEASUREMENT::ocsp_info_add(c); - } -@endif - -# record the header length -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - # proceed only this http connection has ocsp request or response - if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response ) - return; - - if ( is_orig ) - { - c$http$request_header_len = stat$header_length; - c$num_ocsp += 1; - } - else - { - c$http$response_header_len = stat$header_length; - # here, a http request-response is done - # if any ocsp info is present, put it in ocsp_map -@if ( ! Cluster::is_enabled() ) - fill_ocsp_info(c); -@endif - -@if ( Cluster::is_enabled() ) - # send this ocsp info to manager and manager will send - # it to all the workder - event OCSP_MEASUREMENT::new_ocsp_info(c); -@endif - } - } - -# add ocsp request to http record -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( !f?$http ) - return; - f$http$ocsp_request = req; - f$http$ocsp_request_ts = network_time(); - f$http$ocsp_request_fuid = f$id; - } - -# add ocsp response to http record -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( !f?$http ) - return; - f$http$ocsp_response = resp; - f$http$ocsp_response_ts = network_time(); - f$http$ocsp_response_fuid = f$id; - } - -# add client hello time and connection start time -event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) - { - c$ssl$client_hello_ts = network_time(); - c$ssl$connection_start_ts = c$start_time; - } - -# add time stamp for server's change cipher message -event ssl_change_cipher_spec(c: connection, is_orig: bool) - { - if ( is_orig ) - return; - c$ssl$change_cipher_ts = network_time(); - } - -# add ssl established time -event ssl_established(c: connection) - { - c$ssl$ssl_establish_ts = network_time(); - } - -# extract the full ocsp uri from certificate extension -function get_ocsp_uri(s: string): string - { - s = strip(s); - s = to_lower(s); - local parts = split_string(s, /\x0a/); - for (x in parts) - { - local f4c = sub_bytes(parts[x], 0, 4); - if (f4c == "ocsp") - { - local w = split_string(parts[x], /\/\//); - return w[1]; - } - } - return ""; - } - -# create ocsp index if ocsp extension is encountered -# record the time when certificate is received -event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { - if (!ext?$name || ext$name != "Authority Information Access") - return; - - if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate) - return; - - local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); - if ( |ocsp_uri| == 0 ) - return; - - local cert: X509::Certificate = f$info$x509$certificate; - local serial_number: string = cert$serial; - local cert_ref: opaque of x509 = f$info$x509$handle; - - # get connection - local c: connection; - # there should be only one loop - for ( id in f$conns ) - c = f$conns[id]; - - if ( !c$ssl?$cert_ts ) - c$ssl$cert_ts = table(); - - local current_ts: time = network_time(); - local source_ip: addr = c$id$orig_h; - - local issuer_name: table[string] of string; - # loop through each hash algorithm - for (i in hash_algorithm) - { - local h: string = hash_algorithm[i]; - issuer_name[h] = x509_issuer_name_hash(cert_ref, h); - - # if given hash algorithm is not in record, create a new table - if ( h !in c$ssl$cert_ts ) - c$ssl$cert_ts[h] = table(); - - # if given index is not in record, create a new queue - if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] ) - c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init(); - - # put the timing information in the queue of ssl info - Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts); - } - } - -# log information when ssl connection is removed -event connection_state_remove(c: connection) &priority= -20 - { - if ( ! c?$ssl || ! c$ssl?$cert_ts ) - return; - - for (i in hash_algorithm) - { - local h = hash_algorithm[i]; - for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) - { - if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map ) - { - # find a ocsp to ssl match - local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]; - local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); - if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) - delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; - ocsp_info$cert_recv_ts = cert_recv_ts; - ocsp_info$ssl_cuid = c$uid; - ocsp_info$ssl_cid = c$id; - ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; - ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; - ocsp_info$ssl_end_ts = network_time(); - Log::write(LOG, ocsp_info); - } - } - } - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); - } diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro deleted file mode 100644 index 33085f79db..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro +++ /dev/null @@ -1,585 +0,0 @@ -#! log OCSP request, response and related HTTP information -#! log SSL connection which has cert with OCSP uri - -@load base/protocols/http -@load base/frameworks/files -@load base/files/x509 -@load base/protocols/ssl -@load base/utils/queue - -module OCSP_SSL_SPLIT; - -export { - redef enum Log::ID += { LOG_OCSP }; - redef enum Log::ID += { LOG_SSL }; - - type Info_OCSP: record { - ## cert id for the OCSP request - cert_id: OCSP::CertId &log &optional; - - ## request timestamp - req_ts: time &log &optional; - - ## request - ## NOTE: this is only one request if multiple requests - ## are sent together in one HTTP message, they will be - ## logged separately - req: OCSP::Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - ## NOTE: similar to request, if multiple responses are - ## sent together in one HTTP message, they will be - ## logged separately - resp: OCSP::Info_resp &log &optional; - - ## HTTP connection id - cid: conn_id &log; - - ## HTTP connection uid - cuid: string &log; - - ## HTTP connection start time - conn_start_ts: time &log; - - ## the time between req_ts and resp_ts - delay: interval &log &optional; - - ## the size of HTTP request body - req_size: count &log &optional; - - ## the size of HTTP request header - req_hdr_size: count &log &optional; - - ## the size of HTTP response body - resp_size: count &log &optional; - - ## the size of HTTP response header - resp_hdr_size: count &log &optional; - - ## the HTTP code in the HTTP response - http_code: count &log &optional; - - ## HTTP method - method: string &log &optional; - - ## host in HTTP request + uri in HTTP request - ## last '/' is removed - ## for GET request, OCSP request is remove from url - ocsp_uri: string &log &optional; - - ## number of HTTP requests containing ocsp requests in - ## this connection including this one; this may be - ## different from number of OCSP requests since one - ## HTTP request may contain several OCSP requests; - ## this is copied from connection - num_ocsp: count &log &optional; - - ## the original_uri in HTTP request - original_uri: string &log &optional; - - ## host in HTTP request - host: string &log &optional; - - ## user_agent - user_agent: string &log &optional; - - ## number of certificates in response - resp_certs_num: count &log &default=0; - }; - - type Issuer_Name_Type: record { - sha1: string &log &optional; - sha224: string &log &optional; - sha256: string &log &optional; - sha384: string &log &optional; - sha512: string &log &optional; - }; - - type Info_SSL: record { - ## connection id - id: conn_id &log; - - ## uid - uid: string &log; - - ## connection start time - conn_start_ts: time &log &optional; - - ## client hello time - client_hello_ts: time &log &optional; - - ## server hello time - server_hello_ts: time &log &optional; - - ## the time for client change cipher message - client_change_cipher_ts: time &log &optional; - - ## the time for server change cipher message - server_change_cipher_ts: time &log &optional; - - ## the time when SSL connection is established - establish_ts: time &log &optional; - - ## the time for the first encrypted client application data - client_first_encrypt_ts: time &log &optional; - - ## the time for the first encrypted server application data - server_first_encrypt_ts: time &log &optional; - - ## the time when event connection_state_remove happens - end_ts: time &log &optional; - - ## the above are common information for SSL connection - ## the following is specific to an cert - - ## ocsp_uri - ocsp_uri: string &log &optional; - - ## serial_number - serial_number: string &log &optional; - - ## the time when the corresponding certificate is - ## received; formatted as: str(time),str(time) - cert_recv_ts: string &log &optional; - - ## issuer_name - issuer_name: Issuer_Name_Type &log &optional; - }; -} - -redef SSL::disable_analyzer_after_detection=F; - -redef record connection += { - ## track number of ocsp requests in this connection - num_ocsp: count &optional &default=0; - }; - -# add additional information to http info -redef record HTTP::Info += { - ## header length - request_header_len: count &optional &default=0; - response_header_len: count &optional &default=0; - - ## number of OCSP requests so far, copied from connection - num_ocsp: count &optional; - - ## connection start time, copied from connection - conn_start_ts: time &optional; -}; - -# add additional information to ssl info -redef record SSL::Info += { - ## connection start time - conn_start_ts: time &optional; - - ## the time when client hello event happens - client_hello_ts: time &optional; - - ## server hello time - server_hello_ts: time &optional; - - ## the time when ssl connection is established - establish_ts: time &optional; - - ## the time for client change cipher message - client_change_cipher_ts: time &optional; - - ## the time for server change cipher message - server_change_cipher_ts: time &optional; - - ## indexed by ocsp_uri(string), serialNumber(string), issuer - ## name hash(string) - cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional; - - ## the time for the first encrypted client application data - client_first_encrypt_ts: time &optional; - - ## the time for the first encrypted server application data - server_first_encrypt_ts: time &optional; -}; - -# remove the last '/' -function clean_uri(s: string): string - { - local s_len = |s|; - if ( s_len == 0 ) - return s; - s_len -= 1; - if (s[-1] == "/") - return clean_uri(s[0:s_len]); - else - return s; - } - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) - { - if ( ! f?$http ) - return; - - # get connection id TODO:TOCHECK - local cid: conn_id; - for ( id in f$conns ) - cid = id; - - # check if there is a OCSP GET request - if ( f$http?$method && f$http$method == "GET" ) - f$conns[cid]$num_ocsp += 1; - } - -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) - { - if ( ! f?$http ) - return; - - # get connection id TODO:TOCHECK - local cid: conn_id; - for ( id in f$conns ) - cid = id; - - f$conns[cid]$num_ocsp += 1; - } - -event http_reply (c: connection, version: string, code: count, reason: string) - { - if ( ! c?$http ) - return; - if ( ! c$http?$conn_start_ts ) - c$http$conn_start_ts = c$start_time; - } - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - if ( ! c?$http ) - return; - if ( ! c$http?$conn_start_ts ) - c$http$conn_start_ts = c$start_time; - } - -# record the header length -event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) - { - if ( ! c?$http ) - return; - if ( is_orig ) - c$http$request_header_len = stat$header_length; - else - c$http$response_header_len = stat$header_length; - c$http$num_ocsp = c$num_ocsp; - } - -# add server hello time -event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5 - { - c$ssl$server_hello_ts = network_time(); - } - -# add client hello time and connection start time -event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) - { - c$ssl$client_hello_ts = network_time(); - c$ssl$conn_start_ts = c$start_time; - } - -# add time stamp for server's change cipher message -event ssl_change_cipher_spec(c: connection, is_orig: bool) - { - if ( is_orig ) - c$ssl$client_change_cipher_ts = network_time(); - else - c$ssl$server_change_cipher_ts = network_time(); - } - -# add ssl established time -event ssl_established(c: connection) - { - c$ssl$establish_ts = network_time(); - } - -# add time when first encrypted application data is sent from client -event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count) - { - if ( ! c?$ssl ) - return; - - if ( content_type == SSL::APPLICATION_DATA && length > 0 ) - { - if ( is_orig && ! c$ssl?$client_first_encrypt_ts ) - c$ssl$client_first_encrypt_ts = network_time(); - else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts ) - c$ssl$server_first_encrypt_ts = network_time(); - } - } - -# extract the full ocsp uri from certificate extension -function get_ocsp_uri(s: string): string - { - s = strip(s); - s = to_lower(s); - local parts = split_string(s, /\x0a/); - for (x in parts) - { - local f4c = sub_bytes(parts[x], 0, 4); - if (f4c == "ocsp") - { - local w = split_string(parts[x], /\/\//); - return w[1]; - } - } - return ""; - } - -# create ocsp index if ocsp extension is encountered -# record the time when certificate is received -event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 { - if ( ! ext?$name || ext$name != "Authority Information Access") - return; - - if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate) - return; - - local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value)); - if ( |ocsp_uri| == 0 ) - return; - - local cert: X509::Certificate = f$info$x509$certificate; - local serial_number: string = cert$serial; - local cert_ref: opaque of x509 = f$info$x509$handle; - - # get connection TODO:TOCHECK - local c: connection; - # there should be only one loop? - for ( id in f$conns ) - c = f$conns[id]; - - if ( ! c$ssl?$cert_ts ) - c$ssl$cert_ts = table(); - - local current_ts: time = network_time(); - - local issuer_name: Issuer_Name_Type; - issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1"); - issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224"); - issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256"); - issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384"); - issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512"); - - # if given index is not in record, create a new queue - if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts ) - c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init(); - - # put the timing information in the queue - Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts); - } - -function clean_bug_host(host: string): string - { - local s: string = host; - s = clean_uri(s); - if ( s[0:7] == "http://" ) - s = s[7:]; - return s; - } - -function clean_bug_uri(uri: string, host: string): string - { - local s: string = uri; - s = clean_uri(s); - if ( s[0:7] == "http://" ) - s = s[7:]; - - if ( |host| > 0 && s[0:|host|] == host ) - s = s[|host|:]; - - return s; - } - -function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info) - { - if ( http?$num_ocsp ) - ocsp$num_ocsp = http$num_ocsp; - - if ( http?$method ) - ocsp$method = http$method; - - if ( http?$user_agent ) - ocsp$user_agent = http$user_agent; - - if ( http?$original_uri ) - ocsp$original_uri = http$original_uri; - - local host_str: string = ""; - if ( http?$host ) - host_str = clean_bug_host(http$host); - - local uri_str: string = ""; - if ( http?$uri) - { - if (http?$host) - uri_str = clean_bug_uri(http$uri, host_str); - else - uri_str = clean_bug_uri(http$uri, ""); - } - - if ( http?$host ) - { - ocsp$host = host_str; - ocsp$ocsp_uri = host_str; - } - - if ( http?$uri ) - { - if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri += uri_str; - else - ocsp$ocsp_uri = uri_str; - } - - if ( http?$method && http$method == "GET" && http?$uri_prefix ) - { - if ( |http$uri_prefix| > 0) - ocsp$ocsp_uri = ""; - if ( http?$host ) - ocsp$ocsp_uri = host_str; - if ( |http$uri_prefix| > 0) - ocsp$ocsp_uri += http$uri_prefix; - } - - if ( ocsp?$ocsp_uri ) - ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri); - - if ( http?$status_code ) - ocsp$http_code = http$status_code; - - if ( http?$request_body_len ) - ocsp$req_size = http$request_body_len; - - if ( http?$request_header_len ) - ocsp$req_hdr_size = http$request_header_len; - - if ( http?$response_body_len ) - ocsp$resp_size = http$response_body_len; - - if ( http?$response_header_len ) - ocsp$resp_hdr_size = http$response_header_len; - } - -function start_log_ocsp(rec: OCSP::Info) - { - local http: HTTP::Info = rec$http; - local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id, - $cuid = http$uid, - $conn_start_ts = http$conn_start_ts]; - - if ( rec?$certId ) - info_ocsp_rec$cert_id = rec$certId; - - if ( rec?$req ) - { - info_ocsp_rec$req = rec$req; - info_ocsp_rec$req_ts = rec$req$ts; - } - - if ( rec?$resp ) - { - info_ocsp_rec$resp = rec$resp; - info_ocsp_rec$resp_ts = rec$resp$ts; - if ( rec$resp?$certs ) - info_ocsp_rec$resp_certs_num = |rec$resp$certs|; - } - - if ( rec?$req && rec?$resp ) - info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts; - - update_http_info(info_ocsp_rec, http); - - if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) ) - return; - - Log::write(LOG_OCSP, info_ocsp_rec); - } - -# log OCSP information -event OCSP::log_ocsp(rec: OCSP::Info) - { - start_log_ocsp(rec); - } - -# update ssl info -function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info) - { - if ( ssl?$conn_start_ts ) - ssl_rec$conn_start_ts = ssl$conn_start_ts; - - if ( ssl?$client_hello_ts ) - ssl_rec$client_hello_ts = ssl$client_hello_ts; - - if ( ssl?$client_first_encrypt_ts ) - ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts; - - if ( ssl?$server_first_encrypt_ts ) - ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts; - - if ( ssl?$server_hello_ts ) - ssl_rec$server_hello_ts = ssl$server_hello_ts; - - if ( ssl?$establish_ts ) - ssl_rec$establish_ts = ssl$establish_ts; - - if ( ssl?$client_change_cipher_ts ) - ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts; - - if ( ssl?$server_change_cipher_ts ) - ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts; - } - -# convert all the elements in the queue to a formatted string -function convert_time_q2str(q: Queue::Queue, sep: string): string - { - local s = ""; - local elem: vector of time = vector(); - Queue::get_vector(q, elem); - for ( i in elem ) - { - s += fmt("%f",elem[i]); - if ( i != (|elem| - 1)) - s += sep; - } - return s; - } - -# log SSL information when ssl connection is removed -event connection_state_remove(c: connection) &priority= -20 - { - if ( ! c?$ssl || ! c$ssl?$cert_ts ) - return; - - for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts ) - { - local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id = c$id, - $uid = c$uid, - $end_ts = network_time()]; - ssl_info_rec$ocsp_uri = ocsp_uri; - ssl_info_rec$serial_number = serial_number; - ssl_info_rec$issuer_name = issuer_name; - local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ","); - if (|cert_recv_ts_str| > 0) - ssl_info_rec$cert_recv_ts = cert_recv_ts_str; - update_ssl_info(ssl_info_rec, c$ssl); - - if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) ) - return; - - Log::write(LOG_SSL, ssl_info_rec); - #delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name]; - } - clear_table(c$ssl$cert_ts); - } - -event bro_init() - { - Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]); - Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]); - } From 3882ba6fbfdbdc2d25ab6cee6401de2e0684acce Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 3 Feb 2017 11:23:49 -0800 Subject: [PATCH 046/147] Add support for the signed_certificate_timestamp TLS extension. --- src/analyzer/protocol/ssl/events.bif | 23 +++++++++++++++++- .../protocol/ssl/tls-handshake-analyzer.pac | 22 ++++++++++++++++- .../protocol/ssl/tls-handshake-protocol.pac | 20 +++++++++++++++ .../.stdout | 3 +++ .../tls/signed_certificate_timestamp.pcap | Bin 0 -> 36501 bytes .../ssl/signed_certificate_timestamp.test | 7 ++++++ 6 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2855dd7fe9..3fb565b8aa 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -192,7 +192,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## the initial handshake. It contains the list of client supported application ## protocols by the client or the server, respectively. ## -## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts. +## At the moment it is mostly used to negotiate the use of SPDY / HTTP2. ## ## c: The connection. ## @@ -225,6 +225,27 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_key_share event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); +## Generated for the signed_certificate_timestamp TLS extension as defined in +## :rfc:`6962`. The extension is used to transmit signed proofs that are +## used for Certificate Transparency. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## version: the version of the protocol to which the SCT conforms. Always +## should be 0 (representing version 1) +## +## logid: 32 bit key id +## +## timestamp: the current NTP Time +## +## signature_and_hashalgorithm: signature and hash algorithm used for the +## digitally_signed struct +## +## signature: signature part of the digitally_signed struct +event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); + ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that ## as it can. This event signals the time when an SSL/TLS has finished the diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a4f4f94c6f..7f4eb2ba3c 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -231,6 +231,24 @@ refine connection Handshake_Conn += { return true; %} + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool + %{ + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT)); + ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT)); + + BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, + version, + new StringVal(logid.length(), reinterpret_cast(logid.begin())), + ((double)timestamp)/1000, + ha, + new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) + ); + + return true; + %} + function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ BifEvent::generate_ssl_dh_server_params(bro_analyzer(), @@ -251,7 +269,6 @@ refine connection Handshake_Conn += { return true; %} - }; refine typeattr ClientHello += &let { @@ -333,3 +350,6 @@ refine typeattr Handshake += &let { proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length); }; +refine typeattr SignedCertificateTimestamp += &let { + proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature); +}; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index da01a27f1d..65da41e0db 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -485,11 +485,31 @@ type SSLExtension(rec: HandshakeRecord) = record { # EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0); EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); + EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; } &length=data_len+4 &exportsourcedata; +type SignedCertificateTimestampList(rec: HandshakeRecord) = record { + length: uint16; + SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); +} &length=length+2; + +type SignedCertificateTimestamp(rec: HandshakeRecord) = record { + # before - framing + length: uint16; + # from here: SignedCertificateTimestamp + version: uint8; + logid: bytestring &length=32; + timestamp: uint64; + extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them + extensions: bytestring &length=extensions_length; + digitally_signed_algorithms: SignatureAndHashAlgorithm; + digitally_signed_signature_length: uint16; + digitally_signed_signature: bytestring &length=digitally_signed_signature_length; +} &length=length+2; + type ServerNameHostName() = record { length: uint16; host_name: bytestring &length=length; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout new file mode 100644 index 0000000000..abed68df42 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -0,0 +1,3 @@ +0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] +0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] +0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..50efed9cea5db93fddffb4cdb338f03479625b98 GIT binary patch literal 36501 zcmd?QWmH_t*6-bodvGVXTjTET5L`lV3GN!)B{;!@yL)hgI|L67fe@S!+-{S-v(L`i z=Q+>&&yFhyj5C z*+t*Q+{MrZ8Z8+u9>pBR=)&m21Y`g*0n7jn00LO90v{g$cmyASUmJh|Kmq{Z9W9-m zO&ytB%>g*zYvka948R1SLqWnpK>?v5;h>>`a4;}H2p|9&0R8hh06O?4)ThTGELh>*Y0o`TExT21%{cvT8Q7Kfy zmy*(Syy9oD07mdbK=31o2&JXI=#Y?*5RgCs0{9OOtU&~>7B2V?3S57Ph=?amEWi%f z)c*sYC%3|jg#OD>|1kvEw<4Z~0MP#5h5*l{rogEmDqz3n>mP0fcG5bIjwrP!MMALR zCN$t@`FBO=nXSkt#oO`!NzrZKcSUSSNMJYERofvUjU?ZG^AE_n2gta;v4kZ=-58#Q zI^uTNd5&F8o<1Pd3Fu-50F$2j?GFz`1VBLoz;6EJbKv>_(1DgfbASsV{{wt%J+2mJ zXe&nUsJT4?KSv7GHNjf*mfIN0Ao4OQxB^n|Qjf5~oPY#Kg2W+62;~A^CfS_!W3_;?gMqulkQ~d_5ZRaeQ`JEa5WyBX$${6$?c0A8M zW#OIxTmcprDObcM0Uf+iM;~a26wNcdBSQLF8AeT%TK1+o$opA#}3W!0cF;P(xpN+ybBCi!oV1qsr zQ_opE8tZf5h+C1FLIm4Al51~r88>Lz5Va&O+sHD@d*<`1+HoNe(CZcMS$sbNwkxe? z5)t|@yR_kR)vD8}1GdrvlS#>t<;UokrR~6C1ir@c2ap!2dOP!M%vOfCxaH0iaF+pv6G}(88bqD4J|Y z2p|Lms+Yl7ik7U#K?bQrFOu372!sp+PZuH`a)}HCB0>W|{;@2GAb1!^bto7N2q{q( z0ubKQ2^4~|B?k8#{{AOaSNidos*@rrK_o`syqui2=$LD{R^F-03g}l8wCgrfD8aW1Awn1 zKm>r{){>+}!<`N(F(!JB7>Ej>h%f9zMqdo~GAG&q3`1jB*tXT}H9OTa_2o zyHi3X*#;i?fdi>Ww~`|zuEsdWjhy`G6m|1$Q`J*8e*N$8!jiEpx+ zQXsI(0JrCQNYrHe?ZJ0)HpItp&Wr7d3-~N5B~WD}5o-=aQ-y&Cx@;TwBpaMU;0S;F z>!c^51M>oabKn;F^t0iK$f0mS*nXI?Rj+vybr2U~_s}(**2L<0X+D1i5rG?+2n7lo z3bV;@e1w96gn-TlAwAuW@pKLW0{rnXB@{LY z69$eR1_%ue3km$|2m+-1bTbK*3`h#Z2ZIE@0SZ{l0uFDGP#}5`?XMdlfY?M&k=kr+w=BnOhomdch05qo+P{GhR; z^`B1}8$KN{|KY=67yiTL{^h`b`0pR?D<;AOeh}mz{HrcNAe0Bl4W#tz90c(<3(o(G zg(u<@{deL={UrX_@5F~){1ro}p9lm_&VI#^UxV%+b#?|({8dF@2=1SaU}x-P|63hF z)BSGCaGkSS&4Jt2L(xp|fxT zuKnIK^+Z{{<%Wmn7TPK%xWQ6!TF{h)B70tbe5b@=0FtaU`rI;Y=PXe78^E%+%L3t` z3ZK8|P(qc2n0-SmK&KAKT^icdeDav7P9#AAwdd2r0`Y9>ScTEeEU!2hRGQ z^`(iFcTXqZdS`sGRJX!%G^~RZE)_%B7=Xv#M>C=q1|m<5JIU2$K+xPl-lev*qfh#& zw3&Ph8Z=tS6O<9wW_l*uy+s#JYs?7S zr9AH_*uS?L(i512|9=DX(^&ZlX0pG5SM73 zRvr*53(GGW|6dqD{x_n({Rn}#k*%G-&&?6da1WfEmgzDXKs17uz~(K^?m~j_B^q7o z&9QNV%zGAcy#NMc6h(44JFai~RuH*L{$q8Mg#HU=_El*LlX{U# zz`M&1^VO_L&mvVnKJSY2WOciDQV8C`k!0_p>w?ykH7D(H4U%Jy7-17Kb6SR{#=O4u z(xuUm#wpmvD^V7F_vBciT9z!BEZ63UdQ^-PQx?)rcy6sidZdL}_TZxIE+}737=m$Q zmD0A(m-syR#WG|91+MJ~wTi@!{VJtcKJtca!C|A%;F!%36A`u3%Vi0WU+Gq@2x3*c zcg_1_95aob zwfOO^g_H)+(gusq8@P^9CHk!w*Y%UA>h>%0J{vq+xC zby2|r5IBdeYz%NiiP3z+zF&l%c_~G0Fn7z%XYH7qcqNLzc4!9^CGimkQ2J$ed9h)` z$^GDhe0gfc`YnD;!Je9Ta#PQP`rBw3{X3J^3BmT{eao@Vb?H;10Mu6 z5BrG|p_66tkf6E9lCTbV^Y0s^}Kzzc|}YWQ}-!*olBR7 zk7XN0lToL+!lPWD#0O388r{ZcjySRPsK= zuCpc9{*#7Vu>0{IWeLu>vSSp0w{&aCnEm|~j012pfMn*uuDu2T?GDcToxz#E-k$-6 z+U!VUU*_y>*}Q%3UC`=pN$yjCvHM$mQI+_WFe6|f{&I2>5m6Q@a9;2;(}Ka^#X<%mdAbi01Mi>rfu{s7?ChMMA_+K#aIk?`K;v`hQKt3xN2ot$t1jAf6@!5a0;`c<{#Us>Odo(5NX#rda8l5I1*DrRU0fLv9an zXj5J5y`e*ok@H2>Xn$|-*ktHCB=-!bNMNfP%JAqB?cKnS5J7|+LA~pQ9d^$}OslUM zb-~#Io~~66vGWJ_$Tu0*H*3`aKQMi+J9-P5m3&iu8}7`-9NUoqbK(0|4AX}(DTJ71 zKHFQicMHW|;we6hSs68}-|uy|SvN+Wp+u*BNw>C4y>gcZNz7JkAoEKY+_5IBP`8=) z3^O%a?MV&{kYv{oo32X3wd5<7d=Hf53fkWt^_LbiS9GLH*K3z2po!2U^QtdPSv*=- z3G9KFRJ0LHy-C9P?9HYr!XK@2h}fuC#bAuTra36o_U&bFdX+@#W}Xg3eM^akz=U1t zql{L^N%7;4=8A7zw=K;-5P7e6#YCTnF9eNXoG!L*gc~$R(P)%o5@jHKb=aRkSrI5n z&XI2CzpQFNCX??%^FPqwyO_@1)NQJTB72eKm+(YHlK-9qzx|m5kNi$V^uN|oY`}|+ zf9AjqPwOa_yKm)9PvamN?VTa^BF(XAEnh&i&aWxIR+sF|&Z9B(wV&+CEoC4rl^UnX zfRS+R48WzXpRKGPQQoooAs^xZ`c}Ax9kRagD7R6Z9;Z3n6T z5s>|Vfc#H?3&$1hDW2^0RF^lsRBFeN?dudHYWRN($Nw=}|9d!o_7pyUPOzXskl=6( zLVLPE0)+qqhvz?ot@zU=VkiL+ABZQLE1M&P?XO5^&E(<)&J3S|-p^^!ui^cR0%9Uh zWBX@l<@gm!!J(BFL=B?+bq)fC;Qf6@@tfkm<-I>=3nra`r?1k2C&!v|Xf=^{buOpA z34V8lvORra-};>YQ32Wc^{9UU<#bOr-AnoNmdG5NUNv}^fh}s3mq8v}!WeGn_2q<< zd}TQ3bI0tsKJ?!_rpq)Xkg8~ICYQFAlfqipf;BDQ#4o%UcJl8eJlkouHA920d!ESX z8SK7-IFmer>+#;KL*=#uFX=#>VFMtJfdGhoFn7L!*MGAE zAlAW$%P{bNOpHO`Rt|s|178{fr*Sp8;0gDCO3!egv4U8*KrAdQ;G~_6om&Tda}c=r zfn>nTKG5_ikP!IL04Pk)4Z+>)UOI+)nvt)C(2{tpY9v*JJ3l>7kyu#%1T*CmcW z4d(;^5y6IG!37cq;pgOi&I7!I0OkJ!%KsE_{QubM;otrK*DN`59~SieF`qhR@N%L^ zMCg@5&Uv{l3y%5~x~}3e6_U!Q*kOPTp?~sK>OtWcWIv&#n;E;;V>MPAs`aR=R(6w) zPfLERN zVw43O%GkQ?Fx#tfeN9J~e%UES(+`P>v>H<cH0_7uK9~_lg%gybXK_yVh+-`}x zJO4<<$mF{TD&;Q8d9>0*Ov2}-@0_xoI&hAn1K7v9>e3@^Hn42UvIyWxx`U@PfNG}e zSbL`>m$1-;un%7=RP}_`vu#p6o~M7}%o;YLj^)_X=L}X|!is@^BadI}%aI0?=TDS- z;T}-zeJolThMOMJS2at(y!?)zyJKL6z}|RX3Y8>^Qbr-eB`zFvJycl|)xx+IwF0C0 zTnF3W;Q_oe^$hFin`vk=`vZu%)MB{*XpoL!_dD(K#MQuI^aVfS8J51VQ!T1@eWUmD zQC<~~_irMYg)USN@d`3(ynTjMJ6!L-VW;$W3bZ>1iA8sr>uK8GwD@@M+@=1NrxjGl5fdM`RB_)MuaGVg1oh;Hdogv_kd2 zE7F)eDb^(7kHqU-3MgyMe_|!#` z;H?%>5hw%`Y#W8zWEzDOyDp9>;#-o4^Rt$kA$6mqRBt+NQl*R)NM1DaF(J-S`i@He zBjaX|H$)l4SF!oBt=C5Z&=QznDIoAkkOo|}pC1*M(j11{y1eLhmr9@mBW#%l#q>mz z!z<>d9qPx?cV$m4bUp|T*anZ?r}FRb1DtU?zz*@+($g#@=bs)^aCn&>z!p7 zx!Cl`Y3%~HHL~oP8V+IZ;%>I&b*+oqwYKDBYN6Ty0^1vY{pb0YLPnGNCQt*+=i=0DpTFolhbDipEnb1hdK}oO zq+o#RC|Ge?H9;s+S%=5Nv87r!c|~n~6u8*Ulq9r}6-*LLVJdjuh%}P0vVDt8@2oZ< zbdatrp6O;gZz`d&tUfwBoZkK#1F?N~?UhX!nzPHf_v(2Raem-;hH*NiM+se}3hMXD zPn|AI3kOgGclcBJ2ec)(Vt+zg>vw45F<)v5+WCQ@ZQS@rr-u%2>T`5N1D<^DGx&!K zbKuJifXQ#)n&I|yw|tJO0{OD{FQ2cQ@y-s6W18~4Shi~|FWx$3Z^5+E%3UalH6r*n zy=^m)@m`SHgd`iq5Xpv6JrT}{?!@7sNp`sjEke?`e?vLbb~8`0rOcK3=8eP~6HJkh zO*)+0rrc8m`pkVtgY*wD^$5=a*&@h~`^2Z#M3@B>CwN!+B8}tfut3 z9~jXlp}AQQ_~=rx&M&)h&xQQj*_Gp7l|+qvl8_%wrs-Sb=T&bSGhj{jE`xf2!!yM` z(35c7x1XQ;+rS!L9=xOCA~GM3N3i)KAFzp~U-m_wS$%m2D(4s?J_S+o)uH#BthAh` zHkJan@#g=$0UY;pDm3_e8{>;yY6_!+x0KJ20{&`aXK))Mg9jF5`k&@4hIvwM$r}|; z;a_YNJvi%WvZ-usiL$yRB>%V$=7??SNOIG-7f`7!5EH?(B(X#;Nu|G=cV~OPBZo=e zbUmd3F*r^qs{A=tXIsTzlL(K0Am4%4Q#jfY=3r!zD=R%6?jAXzqu5F<&gr{wG#-S? zE!+YJJ%FW}cv`VU`Hign65j`L(=i-c;T=>ehN5}|ueBP)@ysW7EgqZMVZmrp9 zHRG10Bx#5os>GyVP7;Ly;e&Gb!O(~L zUZx3IURNBs$d8$9UnuuSS9DinAUY=tR_&Vis~%huQ=jF}Y3V1@5%Eu#= z_s{4T^}RC^4N4_OJdT{o9df>{yobfm5t5P9pDU|P7P5LptfjIRoqLqY!z7BrbZz1t z$bMnA3d{1{+b=C%2$k#nWK$vGB|B6}T;ywV4}r|iW0KdJR*7mjb=|i#W~V0go^^sU zzO0s4gu{>g44yt1!Lwe^#vss5LGNP@hdAEnL=cQSR%xB)aw1)0_04FjvUrAfE5_g} zhoN~v7Wdw)Af;exHr(k6zdz0G6NuaF3L}Lm!t1O9$v3t2?xxU6Og(>0(m75?*t2d4 z$;3K-z}`T8mO}t95W;T|>LO4Xdqz;ex{4oI3S5Kcfv+bnC4oh1b~w{}U)|MST5+xG z6FyugBeZ~XKQ4{Qt)m>EzK$r+-&5Tp@;X$lo^@7)0`8!egjLv)X4!i=4lS^=7Ag%* zuk~_dfq82uY2FKAU=h*~XHr-eFMsfenUrDA1I|$5L!Ep*7iaFaOSr(1rYJ-~X@o>2 z&SK2??en$l)_i%+3sgg-Pqg`Sy$c(GBy}myNp`@fhlVH{M@;S|(EL{1pz$o=#<$ZT zRvdm`$deUd$3g8_j)D{q3$mXL2o%Q%cXkv9k5A&}KgXwKnc-G+!L4B-0W4x4MNrNj z+hXbs>jS2S@k9gMOV~4>w1+u@AyI}*H2t2Ly-55?>cRV9RS&@zky~r|$SK&u@6)@KT&@eY?_D=ec9XJ$FVAHML%VHk{UIl$GqoS&*z$4>+r$Pbp z#FW$A03AsPhI)Mx+bF}(zcqsXewh*2yKbAH6T$%uy3Ej#YV?`IE~fM&`^uQ9>1kW9 zW~n~`ADy=Lk`IniL%zc3MrpT)omCrv#yB&CkPrF8f=zJpGFl*T?PEQ+KysaP_h1Lq8r z_QTecK()nJKhqCg+7zp=KDvQXk1iv_`b1Ze&;)RNXZ`^M2o!BivDz* z#Jo812Nc_EpBWuyxHvwSa6A!T`o9xD{wMJVekVTh#xLRzGX75d3Q%FsgeQ!N0YPzV zdJ7FbADi1Cl0WODN{d{|!fkQ}5fmT)6xeBq#N3n^%Mffdjhj>tai zci42&i@r4v0jG@CkN=*+{lHXTEo)~E)R@ZV^5dhE)>NU3vnm}Y;=yS{TAdrJ&73D* zi68m5rOp^CH#g&kp@>Ky$@w-{kn&I$uHT_QY^l09Zv^?^I z)mPr>jR-`L6FwiqMY}pSh3Gk26enU@aI+3KGE*}py&NXq9f>^p8|eCxDv|c8uM=O) z5ht-wM)B$hC4@0g;7stp%D*xTTsV^xS(c4ES|AN~EY)YLV-Nl~=eJcMIv992#}a?5 z-ROJFi+SfPS?~GdS$`0~o8MLCvLF*zBv>6f7vgQ`zK=yej>hgmj78U_JCeDq1V%^f z2ps%;DZtcEeJj)>O!GyxMghHOCdAIiCGm+j<}&@GR0|vHQZFXseaXZXBQj8II$9wI zcx??LAg-1eoJt`C0kl6zVp0vm%7YOh1Ga19%>5@g%ZX!ZGFt{>^czy;LvSlJPq*CZ z@E$Z)iPn#pKdN{Pvg#{3uaoX5bP!*@Vn{srL@nZ!b>9x%={+^_wWSHUGd&;RHyw)U;y@~8(-8Cu~ff^bJY*^65&W2zjGDNMi zyK;{}0c~^y9-g;!L^9Uyj>5*|(fX8%a&5bvxwwU9S_bEONF-Pen(xvV%M+#z_(CKl=09R+3yvhc235WHxmL?7aJ3QwnA7;0Nn&j#5)?b zw~ecQX%Wb8i|J+G^xbKvaj+M6g-WwEeP@{}+%vzzFNJqH?l4ArE~YA7s`9};M}SZ! z0fg)8@Hr-z!)PMMSJYYF_{IGSA%oYo!DixNl=ZMbjQ$H%&{Bl-kf8}?gW1l}s5zr_ zY6<@j4usMjSTtpR@#MQ(DpvMThK8???MB`zWlBU{%lR3_2gm&*Kf)3+$v6-co8Ot6 zz`i-YA|+5gMaA7_e__{CbPp?^yZA*n{Hy>A>44eY?JnK{`g!|em#2!D3am7P>l`fV zHv89QE=om%WLxqp)ifd+etA~-VH(wq*LHA~TJ<@${U5S}ZX~o$%7lpq@R+w=y4k6% zhYW`?&|hw`DA|-|y^}DDS8AO6wobuYqF{W-OxP68946=YBA4_%zCWO}H3g=y#9K5I zc|4&@;Eja%8f6{Z7>(gY(7xRLiNFq&Dz8|P<+6A*A$~-+G{I;9MbxXD2h5e^&hcuP zVnx{yXs#eiFa`cj8m}{~~@- z?C->P!@WNgdBG^E2O`qVerd6VgtkNQcs%WbkobWuX+&*zT4sBRR3UI?)AUV+W0J;W zcoKw=J&Tgy0bPa@nQUCSYWYVEMIqlXvM#hPLO?(u1H0W_4rYvZm0)q;x@{XBiQlsb zqIqiNjZq8jt3`BrQ$RNXe*q4@-x_^(llWB(z7uLQ>ut~qP4=4^pEsR8_ET^W3=_*` z>q_VupQ^&}`f@W6v1R6b`ajBF5PZ81`++}qv9T`49*O~ivwRWMqUhfohVcn+$wuxQ z!w@P5M()5?HSch{q)0Td!}g*?3<%3h^{KgER5KyU@}(g}g@SNLP8{Q??Q#=l6JBx$75R+0ObT+2gQDIyqD+@_ z_Ej|0lHqkA=FPd)!}4dGbN8IOjsfy6+zAaY`NU51JAzvuCLsFHe$=o}qV--fa7>4H zoCgVCb?du}vvYNzJ!B3^LaKi}24=*+II@?`JNZ8DqyJKx2J&-Iman=Y>oB4XaO2q( zPTV5`C$768&EW)+>?*8h-Q^1=>owDjkUMx|GqNV`bg9$viHdSq0H8d&jeJ%(BO5RqkyPw~k}ABX6^d=AaDSytlYM_!wEJIa+C6=5&u@ND_k-7h(g(2)t^=)K^7l(6~>7aEKy%|Jjp2X=) zzz&9pk5$B2iC0?R>}NOD3xzAxEhJmJ={zi8M1kJ3786&!YTlwAj7@UcUjkiBBAP8QogJU)%`6%qUYAcF0)zn&{lV6>#A7TWXct)C-8?> zBoM7QqmpmCs**g=E+=HSx!}RZV{Fd`Fp;23VoX%C*g7kfXN&@LZq7Z82tqyY)P(qo zN3O6LL42wg7-l;iJL_WMEY~zwz+U~)vp!QO8$cXQM+;9wo{I1U$oS2j0a)r8c zqwPWICsNHRsG~HE0z7s0U|hcnYz~xcx7^0u_3TlhU|cNJ3nl4mUX>pwZ(UuY66qCW z?X~GE8I zMW(x({VL%m*&%{ewgC&sleN%Kc-N#&l!psB9!TXIK&+8EvuP->BO!fT{q)sEno zerST_Ks=la3ifISmowDone;~?g4*aBwgvo|F$?eMK+Afp`}xW8%5;w6A94$Eu?Ws_ zJib(5GmDi{m$pmI^etjd;{jmem2iosRj9oc9_)u7N1S;As+;qWbi(;!-1iTngM$Pa8gY##oK+z@m$NK^v;4`;ZV2&;*0NER zZHlJz&Jj28mhXz-MrSK>UkB(l+833_4Qh1{-R}jD%-Xv}8$_jkqkKh8rKXsWNYK}# z!y|KEF5o6#Q{=owX@7ZZlZvL~SCf*S6WW{Xd6Qb$({oG9 zmJtxA zx5M|@LHrUvGR1Fz5K{3?UYyw#2fZqk+)ipTv{h* zQW1sSnqiClUee*Br&(6BqOmxPmbcGvsCG!R3ufglxB0t4HHA5D6WR;}aR_Otd|Fwv zT)i)#356@4YuC$QB0rA{Q>PhgeDw|l@9*eew>`5D zbz(b91mmOfodaXsf2$hwAck$i?fKF>9BZ7WChj}>JA#!T=Q6;TgXBuxDT?-r?5AY_ z<;7f*&gS0cYNaR%J=FGR-Dc?CrJQcA;i%%EDSsHDNJ!xm->Z#dkWIG`>i)TG^kc0-S8dA@2*cUuGd z%r9xpLd;cP^%Q}i78>XK<_qG@x3Bzf?$w&I!-x)wKjy@#5AjoWR&a?hSb=$Z$~ zEro=y(P>oop@au8KS#RyJQ}rsUGhv%SegoSzNFdX;n>5GW*SZnI~}g5YrmUZKN+ghK0dbvd97w;w`up3D_$klK% z)o$9Jb(-=010FT3A3zAi6;c-lZ{=lU zm(YS+%`GNAxwQI542Yb5Vz(=wLDxi~p5N{L+LnduKK5XiM%>VlrtENgLLNw}x@Xx$ zRigg3e9>P~&_V3@03yCobp4)4`ov0b=&r6>F3qE2-CU3&-A{FXdev!8O~T_5S0c6& zwyS|h5|gP$NY{ESDnuKZ2R-u!ekHGJi6ccN$EH&MZON2i zfoSU0&8o_JFDr3?=ax!lFzkn@*I}EY?-}$?C^J)-XH#MCL~9vD09koQQ+kGe-xJ=& zzVW*TZpIs3lD-Fg7A=Mxf3YgESFZ8}XO)Jb&fEOEJE5?lM?fsE>MqLVF-}9LO9s&C zn{WK!7oM)8pWuyP zv#+dr&4yKx$m9$q(^8EZ*5H1;MJgoVvDhru^bxR&ou}k-G>OnF;pyEu8n+Uhm3$Vk z4JBaLvD6-g@S1R=4<6{4y}%6`s$r_wz<3m~alAm3x*fvV!x~h+4K+cWp)qkXAdd9j z-<-has92!e?|b{~NXVu>umtk)TkA7K{`*5uu^%4&7lpxT=0!p>7h&}j?`~tyJZf44 z23i~A`yw0VHYta$Fp<`Okf7$Tlr$JKC8={1y?@_XSRouJJm)ut^Qz$W)weO2QDfMV z_#A+A&CL#q$eA4L6iw|zbwlTi^~By<7j;-U1;v0oxgGJ;SGivXFE~dHY;%U%8C>Ki zCa)piZf@fG7qg5icXc8r>6z#}^sRoX9n>Ja(XfsMC*kqz}mdA6#*CdDj{+&lI$F!ed-}MCtQ($VKW?~s;5MS>R}@&J54(X zfwQg;NXoV=z6ZRmLT=*Ar8|w+9b`lJDuqquBJ#~&`go}P+{yfXvZ7V1w10GIH2cwV zs&YbaT5|kE0(rCPcrf9Vm?=u4xnQG`pi7R|LP`;grD#je2h}bbCjE;aq|e{dTwnLc z-UK)s#5^u7N5*YxD~a394BN85K8janYwx6C`XFMz28Aj?F%v5uH$I7`fo>*+=F<2O zL>f}p9^Q@mxTQC|>dcA`y|C6ZNSQgZ=<0aXp}h4lLW}A<&$J!0V2nY8mjET;DVIgr z{&slSaSj9@%>pMZ(Hdj{OrAv4-%mZe968-n$bZ;$S;NY~I zuFGxY7BvBxZS?T`Dg$>3?=s&dR}{GOeo?b`?IjU-cE`p@cu817&YZbVIQS#Z^pggl z!A`4fbPv9Yq1`D7=3Mb*Vg;2J1MlJI)?0b1a_1DDQmK&e6LCbAk0tV9**b#X8 z;XBZ2TjRpKaC$r#((DLl>s9EA_(&>5*}7Ckd*sn{cfLns79A5aCm-UswR?hrv+50F z@$U1fQfq8xd${RBmb^Y`%4W=d+uQeXs^qS4bCv8)5@ch3reuorOpvl8uU}4uyyXZb z-l^&fNqsGb$GE%`?LJEQA%0!DaK=7|^@;fM|DE{BKZ)P-JMlRUe-WRN=Xc^S)o>+B zS9B}7C9?HHZ#=h#bQP^ksyf;t1)Xu zg}J$AVZd=@mm8);5_Efl$~Z zrz9MY5SO%t8{)|Q-4~F-P5C^@jUZQ{fwIRYnzQb;coC%gT%cZ27g2thL@WLa8@-Kq z>1?#C~~5=}UELO+fC@KG1*YSLEO=uzz|N)j+;CMwkT1wfB; zUw;vGLzfja!(@w&O@p2&;LJ9o>L(tI6dje8J+K~3t{rZ}8r17SZdm~_4uASEkNTK~ zg(wurmn0V)SO8DnO1-q;9?rPST_0|PC8p$#eyq50_&y6>4@xmf5#3edTN|CMkF@); zrPQW4rNa#du(}_=r4h1eBxBYwfA$5b?H56DlNfF&#d&MJVLKU_h1$WLkCKcWo)+ET zqAz4C8>n=!Tc~8!i>wW~gU(s?V)g_ideoIxd;5=eawBqDa9gEo>x1+q)(3)HWw(s$LY>xzDk@0sM$qe|L&y%xV?n2%b~=j*IztAn65 z9vT_ZmC@yQ(N~qk>k0xYb$q-yt;c$A=i6^=xfolaG{pa7utCdHV8cIK23{?UR=L$D z`<31jy*)zEz+o9&pySFiF&mv#I~vjMks*nflDcJ)OtN@;W#PpB#hO?VSCNV501y4z z#3RqWV_fw3Su%Wu?WPLZc$Vh)XPzNq*iAOE14i0Uoyzo)4&?0*4U5rsHYkcKvS*>g_X~^%2no7;!=k!3V>FJxgqHwZ0@`E_Jq|i!8@tR@ih2EK2 zjcF)3UHh|F7ow{cMpG_u&ksg@=qwVtQf>X4X@w5f)8RC}EO4-z>UL6X8TRk%KHk87 zCCXWC%li^aIX^2+BSwi|mTBTw&5=qc!4CUz^S{LAE`E&h#aQ6Fs^%)jLaAOCGthadQp__%lbrW5acUan{GtoJ@i zb>{=8-C_6#AQaX2#}@ze_9Fh0UYt>j?aNEFl{M?fQ0zKbM)PK_YkoJk-3^2e)R(hC z>LioX#)>R&W>9$)F`^b~xgyR3>A$;`P zl(JfV#nF@5iC>|%oX!eMudi&AZstYx zE5;B(9x~9WG%<(U1KkfWH?n8EJsJ0%X!EZ7wUh4buebDMb- z;i>B0X0XLVHSrRBh^*W8;^6=drGen*H#-hks`Hk}9%ZR)2t8p~g&B<|-EK1|Itr7$ z1y1Wn7{Z*RZy<<}&rB$*iXY08#$M^=wCWR9&I^n+sd;uPA-_jY0c=nr&v#jln5cWq!S2im-V`K zzx|lx4%@(Nk{+6kL;rE&gEB>>D-LdiiVRn+sKf zGiUm~yk=O0D|D1lRmSgC1r>hG5BTaom^*8wW>w(EW1C(WR2L^Q8Fjgr+onBQ?)zP% zHU~seh`kqL;^|y0_)aOnWOt-^d?ZqfyLjVxg&p`4*Ze6cj-G?D#bMH*HMRZVY8 zBchWp_meddit_2`hy4l`@mB(av@xoc7nOc0=nS*kW{_NYIKC^F4tg0fZJudjf`|To z-A*P}yktYB@SYVbtC1cm?9?^309|irm*q(8lP{FB!YTSAAF)NVuv_K(bD-2?VfQ^i zw0)^{hbI{Bxr0&tu5NaM2i)f>u0*xw1r-e-oVRE}RwDZ-UPAhxw8>D6QIm3G53OvA zgbF!BUKwbh@1B+7qj`gRVMOkvbfwHqp+vr##HzM_IK<08WFf8>X+cZrF@e z{i-Bf?uY@4>!sM^_HLo=yzAVJsMqs>ij29g;!MwKS4gQ5WG&bn{b%A{ah??&nk6d` z4}8mB0}C@AEt9-73@QV))w`=a(V)>PM?fVtBec}s>u z11kDKNDYyMh#CoFDY|a6}97BFLR03!ekDdN62w)nD=RrJ9JGnGe+YsY-CVG&0~0=_A27 zen3i)#`$Qo)iWMf!}$a1^M_Wrd~xg#6k`KB`eJ(=Y8ZFh2tY7LF^gvWFt$_+m?zEA(TStWX4;|>jI892WCRgO zQX6TJY#5R9r(@V!|AnQJZg)RgAC}JsOol zrWNqs?lh3hZ-r6^PLQi;wJ!#kF48iz%=>v(@;9d7BE-WdLGL4JEGEMeMr=<{3Owc= zGQbNj2p1&(L%9W24@#n^fD}#OVklxVU*a5AEJ(ieFcb5JLURkm7M;c%HA=^ zvaM^kP1}{W?MmCuO53(=R@%00+qPY4+vcs>=Y3DyefK##?)PK;Z8650GurGiqCb7G z>^|k>K5lIr(>wwt_s_rR{_y&EJsP3?wtuyaI~zy8`;OXz+h`H`<4jcnNy66h?nNX< zgsP=uJ;E-eVDU`hJXH^rFv$^$8_-Risj4T4Yv-1MKbhy__Y0Qu5IfYk`~#*Nbo&XU zGUTRn)S)ErEBIFcWJQ>w@8c>3k$tzQ&;c0CYOQH9NOZ%AiR&jBlgJW*cO3Mq>kcAsiW>o(J_u;C~I;`)l< z(mW0{J}*8!AS_s{`nih||IvxXqv;eB5Et3iXE|@bI9(F!WV&N!k6)M zwen$k4|{+74DA|>>!&=%R~xU;ommp|1#>56&x;tR#3&3;k}UA zgoVBtY0~&WBxOIg^XlvJ1Pen+q?mFc z^$~HecdEKmCkI0YQjh123E&^GOSx)X0H4fIF7`~rxVb27?a}-X5fmf9Rni}A)+J@5 z$h`5UT^h#4&kaEO=*QEA=)F))g|e>Zv8JD0c>HGe_C5lfOT5*)#IqrBx8^-XypWIv zAy+hN;EBMDXKnPun1$iNUZzE20Jp+@M=ue+R7c+o(DwV%o8W_YBcATx*At|H@!a6l ztbV{T)1SedUsbBg0_V|UW9K=jKCAO4-F}|Tg~@9BIy#$(g%1V|jhI@TeO_d@?oE_` zFv6z{DJ}yNO*G1~I`;QGynB0?^kDa*>r2JFH@UcxVmLTRs*tQ_!iK+` z6rjH>tZ9iZW+gHsoo5mRqr`spLkm5cLyh3ErYcHWs(wK22Q1E=l4+-kz&c_3lQoO> z7F86Sf>nBa8;u4J8#8~`sbGKBoVx52zU95(-)*8EJbAz0q_g@$S);$KK}_15oiiy0 z>bJB8Uyunukfr9m2c_6afr76RQR}YhXcEKI-+URDQt=R_*ob_h??c`svD$<}w^QeK zjhRn-gfW5Qwa3#IugCnR27O#Ww9X{K4j!s;XPG5|h#f~vt*X5etLfw(!9J>otebD8 zcrM$o?yBj|)zc@7_AHPV3#c!Ji7nC#SRGI1B%+gPro^oLT^E!n)Iie)zO3`$%&wM6 z#Js;8W4=ZDMuP%ZZPSmYhk!Tw$03$O%|0gubcJi+8^Bt?nOwb;Fa;@P5V%BGb2m_f zO@`=(+j&ZZT*?i2v=f5gK-GMMPonKqXrrl%_?f82dUzcAq(M|hp7#ePd^}KE;R@X) znZP4#2nCc*QtT^4Q}b7=-O3nH+S>s zje4~wwdsV|!-Gu%CsAzkH!)nz@}I=(eWASJUGphu6M3>dsRdwr zG`RqXtu??xp9-zD$gzUS;CMLWV7LxD5t$mZQBPPtJSU0Px_B4>20xpQc=SwQ1+`i9 z$U+Sj3kdth80?iXl%#e>y-5|w5yG$)11uvoAa*aj&7Q|RWr(9}8Qtqz(WDUI(XVo@ z?rU8g_9}&MSw$#kYtiy0;fI0;icpW{29r4?3J+QO9Z82z=IFT_9ze(26f$(OG&LUf z8u0qi=D}XlC60aJnrz_NJT@Z9dSx5R?cNU~Er5J_s=4_l;>BVG7nbLlR-ihVsfaO% z`4+-k46+RWrV^t_(kltQLv+(JrF6Q#Tp-35?fYR^x!sq&Z*|!&sO>2yYbiHb}ZX_rGHX6JbR66)v=8w(0dVj}irds}r#vDJY zc`mlt$zs7Khdud0ZzvvfSP**O(4ZuW*_vHl~yaV*Bg|u5|a2A-kM$CDYQS zcb3@8$t(?l0+Nh0YnGo5KXb#oue}$)ySsm<6U+#>qp|!ZeW^CP_{MJz9}c|Rc@81Z zoJpiA;bM{rq#A>hk(1ydpmtn*&_D|kQ0gZme$VRQXL!zypf&*$~F zwh8W)DffPT;k=0GcfP@Cx$w&UulMTOL97}PLTxTXGd``x(eYSZq@g#>RG6g;!k3~{ znOk)=%xWpQsmyQ;bsv7oQHLMoOEVj`lyHZ34LY)sz|SPl;61=)o{IesXVQ}kZ=j|# zjyymLWqx$M6V<|%n;6~WttKzeagPs=FkL9#8DyLni*@=yi6lfQlRVf9f*qfl4d?YK zb5lHTz%CD`w)rBkZ#78KXoo}r6wxRn#3U!N zuPwmS;kELwshy<*$<9C&tatOoos6x)VUTT3_WRRJL3~lSu+s(1n_cF3UVE;S2wDAN zx3pkJubFz|?nuI@+YlohO6-pk0M=O+C`-?_+_Xh|vQ&^-?Z{hKLoCaj2xsNom${Us zKV9}{CK#aE>RWc1xR*mg(0?>xH9+SZ)YxFMNe^IzDIYL=+zd@5-c@9qOWUV8y}l6V z+blNg;i{_V4byl@$k=;Z7iO6qj40iu^~v|UwB$-Y@$qKVDwrcuFbr~R$E!~|e+p@d zD!}r6jr7@m7g}=dT5mSt&Qzvgt^}@V)j+^^u#+2Rx;)|`P-78BkSG%^M%>|?VAXPH z71)`^4FhgvE=o7!Uj)9y%@zk`2OC;{?(WzP%Xeps ze?LP0!A=B;nsURBVptDcGpYorw<8Wukt47*@c=%5L;F}XRA)#nVKM|*b3He=kPR+* z;9$mSX1kERYT*m{aXOvQ>PXtEvfOW@5Nw-k^eE>wvD)~w!z>pMnTubGILLmH_BN`A!) zt^4{dZr#sWOml7c>U86(+#sB|W&4@GC}G?HP`|F+kmItJ+&}SC2pN8Wya$5xUFk$k zUen?-R2k1X@a4KBP@K{X!b5~UPv=Je`4&_EyYbWiGJeeo*mAh5XmF8MM#z|8$7PkaOG3Glw2Oqn2iES*| zf#*2dZxE3V)Gom<&n?;a#VfdH_HSL@EVr$En1zfL5V2dRl z$xA0s(ywE`g`|8NkWM(-I9nz~DD&&gxdT*$>{zC@pY8c}m`>q0ZX!sA1`0IRx|DbL z>T|~*aV3jw8>?;GUFTI20nx5O2*JIoJ0e}&IjA|(r!&DttBpzV`m;ScN~=Lof!pp3 zro2{oLp#+x6W7$)oY;I$hr!<|!& z3M#Iu9#qg#i^f()%)K|l$n2O0b_SCR)4{G9tnvVf)5{MvvQWlx^BS+LZpyJ-S2K** zQE0n&8N;3-i>@Y;^+iPL_8U&A)^F=KfT1YB`qjb~zv>mpsGU2JDH<1|%1N|f&myw0 zN12TzRK}fu`n9hiGK%79GP4lroKq60kaW{%wt_*tqL882be8RYEoozOI9*XaTP9cm zx{_U8ZMnO62%`vvxU9#v5g#&BF@bCQRN8db~L04tEk?~dED8L z;n^eKcY^c#9No?d7VU*;sC1gWg8&bH^G1FGY^J^ThgD2{$FpC!9|uo=jI8WXpF;w{ z-u08b_zct_^>Fm-B)XX2op+nRXv~*D=TwXACaJpEOo%CvqkQ#X*3nI_wPYXBpq)iZ zzy}f6<}|8|qTso1-S9Z@^>l6OdD8?)I-}r7?w*C7_P*!^rB}$73Ftvgx56tEhZB4d z6c5{h7+c?bnk(kTTuYZ}0tAa?TJz@^$sw-Aply(3F5%){L<2MlE3<7sGfGaPF4yKO zH!S$!h;W~M{le%aYnJ0TP8uFGln6`OyISeqZco)%H;%2V*}iPEq;VmJOauDpiNOfo zUrs_zrm1Aw{5aK8{Awo$P|H8{=4bumW#Fgslex-Vh-HOF$|-95AcECR((jeF0%5_^ zK5W@fn=kBYlqh-xkd-0w22pl&RDs72C#iZ{RyI%aMgTrKG}t3JenQ>M^$*O_zL}#6 zF^Hb?DCAf++~vtOfEiS&r^$b-xzMc*Q%_I#gQt-`lgx(D!R?#0h*kc^>`kjv8ezH|S&D+0Ey@*kzl<3(BXnspj!k<&Y2k0-Lq%u$rQvGpbaD^7`@Cq+Zj1p?QzR)?s6! z=A1MLf>5so!sv)IDeNPLQsLNw!NYXnkwMU)e`h8SM~-TA+5bx_Ygylin&A*RZ-ORV z!7Anw4Z)lzHEcA9MMDrkMO~e6*2Y`cwv$_E?;g~rq4@ZZ@oE0u_!)m0zw__LSH%6V z@lopjxADRM)c7Pt6hj^nKew8{;tWid(B*3{F#1AujSgh?z_zyU*>_BhBj;RHON_K*~5sJ67zeDq4@=+9MKGIUll z-R@e#qeVoV%CH^@c89rj+v0+sfJL@@0neKrTCIWP-EVwgxa*Vc>y7U;2#4k3h-*xD zCLq-(ZeXMY`G$6#dN55xD;_~t=cn~Yni-M7dtTm zr$K16M&wa?yaC^9?@Dw^QY+CnExei(W5dRsztG?dS}!DF_k6F&+Y;qG7U?J_^ui^Z zWyvzD^kVvjnPz7DPyz{lg3EQuStU2@O}5vA_CLV(!&+|3ASn1A{ptD&B3ZGjlu>E)!8(8=83-B>N?B++@!Blp@E*TN`16pumHoGpBoOD5By%o<)Aq8%dcMy0r07CSzFOe;^RZ*_Mr zI-LpFOA(g4pdZ}218`+ik$NM6p--=64MIiW&Ppv2KW&`4BVtF3j3!E}aL=KYfu6Lw z{<&)ZyLzav+!4^ad%wZ5-%v>zX^9%lw!*Sq7`_F+DzP|*&GRZXV{a{U_f*#cta%tx zj?!ynUHU^(FG6E9I6EqeBEU~AXhK0t7ZXLHb1n8N;l^r8$4h%f1w??7Rw;glFeQqP6@ic*J^u5|(8%{o)QMrrm~gc(a$4)@hF=Lh9@S;EG$J;s$;0t%rW7V}9Nk$Vj@ z1aL*Wc2CVb<_VxvXQ2S1P))z+a{B{cR@mUYurqFD0MT#w2~PS$z(hVbWQA?MYPHx@ zx5g^EK98YZ^}ha887T+PhilT})!5{Kg{fjbi?v0RUK;+mcelfLoZKOAB9=7+EpQF; zl_#Suk)UN%m=peKKx1ol@G%2lWh?w#q0lb%6qDuuOGVlP3?&SA@CX(8(MWCx(Noe-*xO|MU zPJE1)sQgLI!ugk3_O75|7e<{=!VYSRd95w$feHa=)R?-rJqIJ^?jt=@Qw}%b<%~}sZY0mG2jyWQ} zKxm{2@Wc^=AgVKtVVZQ>dR_T5i3C93MV#CF-=m5;dZy6Mn4Ic5Ysh=YDb(q(_Q<=D zIBt$3$u^-?CQlR%sF1tKU>^|qBG_uT?qtdw8OTMkvzq5W36pVPkF}s<*y~@bU>H}Ze7Xi_xw&dp{urO` z-;JO7m+?FPZhW<_{~A9h{_n;wPdEg!@pGylIFKrd6q9Lk8Z`k^^~4(qo^mV4uC)Oo zDBkQo%!=`pC*=HWy!&?4Cr~XHkm+&O(a?-%IQo1!CH%b3uwT7BTs(L(S$sN;A&4N^ z%s{tqxZ|GK%15F>_oA7~%8iw=cFH9wV~Er#3JMOPDWP@I%Qdj&&Dd2_3)5GgphnE- z47T`exDt=>bJ+M`p8o=2fXRx2i17Si12pPFnDDmpUROk~H2&%+9i}1e%Zt)?b!+TK zd}dO8;o-HZXJ{Z5K+cHlnHtr1Ka%@|@*yFd{Y15{*o%;H%j=Qyqx$Q6Hs!%o%_YI4 zaYEq0x$p8iI)bs9hU(n}vs)%pN@l+ew!n_SB~({g?*XZn3&dckCiUD=jbIe>uuop$ z7;t=8pR{=|kv}Mm@GMQrR9i-3kowBCd~ml|tfad%ynfU$V!lO;f606b1moPMm__%j z0c8hg^vo?@_)>-t4Yw;@+Jis_MgSZh?#tG8U|{8N8-lbYUt!ce9AYd8zuoV6({7h4 z%}sBebP*1b$aXXIlpdIX$An6K{)^m0QASgX*e=Qpx;q8NGj%JeQJ;SXi6;6jTsEW! ztH~g|45f9)tsCIaCA@VHf(iVo0W|E6ZE_tRLv#@^o&XadXWVSBIz%u>J89vKgS-qz z`9%)e&V?hQpOl9K<)q7dPBqk;?Cg3ODwR|dg!{m(y z+^h@37U{MVbWAc!VR)nvoW4C3Jc1uIH|NI^ShRgbJJVAKvH>?YSM6JT-!i$rM@K4! zG=AkmRmp`i!|@U@a-%rcbM;^8@BG>gj@J;NMlK5-CkrlY-U~UHCRqJG+NBg#pqU*w z1WX^oP}0*4zSP*>&ID;`%yV9+A|DKDKkzbnsT2f5|8+ZNP}rsIijug>1+}%ilR_vO zO5TuPNLJiKW0~`mO|%IeQYKG35{RSUSMnXrN}G@wcQ6#E#}x`YMe)pXOF$91|HQWU zd=xq^v>7IXFOj&-Rfn#>mgTx;NgS`+!FCwG*Jy=w5pLM50Oi+A<`rdwkxO>aOnR7g zw9ULI0uuOq1gG|1I8ih4SANGEkFBZINbV#ZY3ykc9dVoVW_nO)eCt!kU8GT9e~Oa# z01YM^QFaiiY2xpu9NgUh%ww^@HvzyC{2nDxV$$^UNT%v-Z=UH1o0&?w883ssZG?-_ zxMmzlk{HqkpcFrQvNwAUQ)!Pw#~*zHiA^{QdY4erFTM7G0vz|1YpjASpoF^};5+U4 zx09}c$aVnWkf}q#{oC*9Oc6LZ{;N)Vt#0!~7?@4Q@w};EKU#?WTdHN805sfox2VXqwhq9ml*6!W%kA4^B)&x^zuF_!2-#H7w|LzE zJ)Qf39+W441dda))v*TE4L1$J4@&wFlBZSN5mJeO5LezwPplpl9`0Sl<896&+lSf#j&Z}_=d`pi)jP#O*UC& z6YSojbl3t3e5G+SRhKHNK7r5Q&~(@Yc)NzBliD1UJ>Ajus7EEY?(w|=H12c_Q-oG) zDyR1Uhw-!iGJgBtjjyBqU*p@}{oVMVhB`ByQkf6#{7jTIGvdJ5Dmo%7GAYy4MQl@7 zxui!tqG<-7-YJ6sC$B*#Y3)kZpGvDB4i&b{<*0=j697$sRy>YW!lqb_Fuy{tQv{@@ z@G|Ek++bYCoN>{1Dbi=;{ZRx%vRh0UPIjWijD8d=Cn~hy%GUNftnqCX5;?HHIe9lF zjxXfik%G@{5B8dp{$y=f;s-0DaOE*>p<-Og5(gK2E`%7VX)`;v#nyMo&kuBB#dyh# zro24u0ZGZxkAFQII;qp(XLY9rM;t!(Ho*yW_FS}ugbvmmu@Jgs*=^(-W0^)5`WYKy zbG;|^Hf=NSTe=Ou-y}B$Wgyj;mb7Kk^_2n28oeor<@4n%gftmnp@e2J*;|yX)iv7( zK1nad>1jD*9|s=H5I$G1GWBG0QNe*(6#1gF#W(pFxScR1M^|$fz;&H11_LHQ&q|Wu zI_cHDJt&PizV^$1*FcynaD|GT7lJHZ6izv+{-8uoXz#70sl;RW+`}?m*RD?>v(=qV z7JlTd-yz20rW97AE&hniBB&^hqY{_o4Fbxo5ZQ8?@n?pY(p~skw@c>pjXhr&QA1UW zPRhx8s0EhVy$!J#i8y{P^*mrF3R2#WPiDq^}p zVo+~LmGxK8mdjPoYC3JV&O%}Fiwb9hZ)9)hl9+xmrKCZ}tP z!+0r5qFAx1iORf^8ZXV1)fIbgtZoT(*j1saYOG069b)j}sfe|iqcd)~0*DCL`oFFv zV?qtV$6^zR_&k$DPC21Ir8!l4hoKmP$kPow`TJAd|HLxn$%vWpD(Iy&-(nXUY-dSZc zD1|3YY#haBZ!s;q24p>!_X%DYZNVU@;)`ri9A?GS*Vd(aE_M)C)Xjic<;~p&Qf*(C z{xl6)4^^LXcR5r0l6R7HB&LAAHgwT#9_?QZ)0X0iscEBRQ@!o#>ueDqJ9{p(;BHaX zRsb`*t8vtwjy)p9)nKD}-g$PqXtl!^8U0n~SxC6={gDTcF+Yr8k)DwP{rjFiV^Bd7 z5{i(ZaRSV7hm)){F>Y_oyE|zfPWQZz3E62);&qHyyy>M+XjNQcxmj3 z9!MZ5^ExaExsw`wRpr4c0(H{~QQRXi2Cc6#Cys;P)>@c_30w!!?s|s!Xxba8GHxrq znV9wqMuM-p4S-MhCN1R}4xwP)EhP;PbXIw`2Nwt9YG2q`fG!-W^6b$*Fby}34~UlVDb$X!mEW(7uCxQ2~bj`b0g*XV@QDmF(;uc8WwAI3zc z>9zG*$M+L>Q7_ooXDzTt=zC2+VpAJK(H^K;+ugjZaVthz$m)Gp zII$8OvuNbV-!uf3oS)!I6rRhO}3ie6r_Ay?WS#L<+(iKYoUnV{C%x zh&h32YnL(zY^g(0tD?%ydEnG4p*%adUQUNhN^B4}@(2N?T^Pt~5~THZDmty-5dE;~ z5hQiw%PTx|u6{R%%}i>+)BuVv*|JDK4d7$nKMvO>TVgnQ_gma4U*9`J#!UjqX(kKx z+S5=#D_jz3M*d@b`hTzSv;Q)F+ux0E`1xPsKk)wD_?;eKs^em_B4Ti;?M(+vHMo&- z1H(NtY`eI{w?ZsYtuEs1q@QETb+8PDED&Id^i@7T1%GnE_+gAaIykc)P2O{roHg#h z5C-A-RlZZ;mcoMpM8vh+O&s5KhU56A>OAi`!f^l^+tku*ZBxMtc(}!QmCP(phk)CaPg|H)ri;F ztah3R*7!Z6#J+?_3ocU8;?7R}JB+1wxGv^y=fyp9klD$Wce&iz?6ktKfZ_#_Ky2o# z8Hw?{@oU==NDQH^Us;4sP`f~MM*C`W2kgxVpp#~)_F~9x8NxWO3DF1b z{M__sAu;&uLPg1qz^N4zFJC!IoeR%xg+B)@e>!*qds$P7ZUIiBrmRuMbR^q&dxCqL zIRNVr$n)@F@Q3%1I1~BD4_H74ZH=D6PhHTSc5OL?cFJSfUg{Ik=BnVni7d{tIx9k~ zleq#7gx8n{Lc!|D3Dh66ZjKU>J)wvomvDs6e^Pb<8A33y9I_YIf}cE#g85%6U%^L$ zeQY04jc|w=`}^C@nWbv(#EwO{n||-gWxUeVSy?LT7&gXGG}i_uCX{C$VDWoMv$fx2Y=*+HjBNZ=$8RhE(m{{?PtDn7D zDQG6gQfj{nIN=LTG!?8NMv_ZYz@ta$TH%b#yI}|y^`aoa0SX^ zCfQMo9`j+47|Ss>CoWajPN6ikLhEc@^`Tz%k`PPg@)8}_Zp{)L;8~jkK7>e+TjY`C z#05-+v*1$C=w~v@faFJ{Evt@ssW9JR$d9BB=9G%Ax-Mwcr$}B%4&b~{%QAyzZ#Iz> zRgnBodiU}mt3cTjgc85UGKtGIla8$xSa9)BqihW*GwMs3y{xx>D}m&?F0ZF;K2R+dt&SgfU?f8~iWM2>%)f_f^pSg{zHHf&+(vxnn=w~|y1hbi ziXd0C{_;3WFonbVJPZ|x>m_S^263VoHmsNk^m%R)tgp07V>W-X2lo<;uPuqWztNv5 zzNN~x_SXub87FwH=b448noDde*-d0LSn|^DJUWz8H1HuQc$3lwqiEDj2&@9W#W&2Q zRpF=|S5!EJkAPoHY_n5F#qIpL@b66DfPtQaBXaa=?CQ=VBEgXijuM{W!kc3T+tgN_ zPhO>vswXSk*?|2Q({r&lzhh3B7x?l~4-a&u+B8N-G>Kz~JQliE8M`SicvZ^)lqIV} z`zw`apU&_0|B(4=$;%o7b=sP4V2xCw%TMF2!f$qU)cy2HXm8g-GRRqJ?ps6OYrF=C z2$y4|#W-B_FkI@s2B}E(-$$5cmIQiSJay!HM6&sWyHHQ9qA>`4s*Be#g!U9uyuG8E z_o5ZRoV0@zaU8(2+8iD{{al$&-{XDnNcqfT&MXS}Db?<7k=+%5?vKes=zwwXu2(u* zgG&&Fc>MUdfnYz$r=?ty^;K;{@IU}VzK}4r z-N_$nVXg{9!A4`ej*X@2H%-Hb0QK5?kxr3dk^@mdP)2bVL{%Q*uwOo~w+(QNjGegZ zSP>tCi;ntZa&B{Tu*Nct(sQWh^pEiw|K0dGe;L2^@5VRJ`mgbO|95Zi-e2eVcV!9E zge7Q1d$`ho3oV+0{NZW#Q0QTvi8S1j~`WDEs(-mABJ3JV08p=uxZp*pHHpacI zlS6b4dp{Y3`FF}tBF2QsV7%`Xm3_s9%YnYuv`jYL+N6y=6Lv4~JKrK#{P7GO6b(!@ zi&rravT=cDPvazhGE~6FH0z7Z|7`fKqBZvc@J%H*vZ3Lr^Sy0tptz)^Yw~D8?#Gki zNwOnzhhwVRe%3o+Q?`tM>N8Q?63NLzN@CEQ9bt;TIztbN^ayy6@$ORC&>kTz<8g43 zol*s$6(%{gP?c@VvvWcl83Mo>`E;-?UvdW_Zy-@?%koLSE|a&izLS2SWKQ)iy{2?j zT?2i+Ay9QG4v-4IG06U%Kp@jPm*GNQM#2)1C4Pb69Y{&9Sm+K}5UK(w9V_$tQwsn= zzY*ck8}UpU&$cwAhW&;>Fnn=&^rjADnrCS8b{106nP(SiY`4D^S>lgIg#?+ry_ZUX z-{ZkQSEp#AwJST?ogB!%F1R$00m_Oab9G>jC%EHKSK)4b8Oe4{-dWzzE`{(^cK1hR zaas5jOKixE3dLp7%kPFZzVo`q7oEnp0dg;dWt3(~A;limIpk6y-W(nrNwz~a1mwu$|$mzb)kV3kO zGEnonGDQW;sC^f>aVBVE1{j4(SUN>(a0o&g*E(seLT^1q`bFdGsgY0&q#4$<(&i`Su1t< zJwxvXUHSep^W2nR~~y_+U_BGM;r`o=z^C+$+__Cq#RQ~ym{jz?VK3PWr5r=zbh{Di4? zO;)SQYiGyzlU`s8*`Oe5IR12*q8(^h0?uHru8 zqNaSA_L4D+4R6`{I!qAg6mH;WnlExdAZKUj<1Ikl(*Zy(qLzufk=>~^YbR;#2DCoP zB($`zDhA+enFXkmxKdBE+2Pgcnww{c`-y$l)TTypG%7}|hF{_WIsyj>BzLh?_Pe7> zxrPb*9p&y>W-%388iIk}XGy~H6P+gsTN$pF@;12_AfaqkF7IQ9{87pctlM3hP-ius z){Z(g=XHN1=u4VO0UnI^iulNpBXLMa8Tg3!6Tb1yYfUDd`Z5T*IJzf--vo$#ZPxS1 zs1k3X=~b&POJ{EyFSw*+aper#YHNN)bJZ+T&; zt*EZ|}nKg{}})KzZ*aIFXOlT-T1aV z|26)V;@@k00wQkNl;)Tl3?A6Mbqrbm2fkqL3RwIl}j3* zc6^AqZ&uBEgazZ0Ck^ylT{#Bpxj`wk+v)wR$+L1Lx*TA%__nhpeKJ`nH6qLV)!N3= z-&_jegy2-UmrU5hB{nS!z{qKuH9%EwF07u898>p@`|}@#SDMkyo%Ro_9Qve%>#Sp+ zR9H{BGHA!(0l{fl6fdS z;HkMmF`{r2#{usgv0JNs)C-|vU9A*CAE3h6x(!vG-@}3DKf546Fod-A+B_G@2Ss6H zYJ3QAem8Vlhu0#ZJHhG|;NCkH%r?ujed?fq7@VXFQlcN&k8=i(^SGZUQqxxg5MZIj zgYHlCmqCpv=oY&oIt}bC*VCVpQW;?oS$)Ba5?(b9Nn3feFc2k*^y-~$q`?+3>Go>! zEK_~=jm9jM@9r^;Jk(;1XW^dEB08zRYQj+HOEDclqe+zFiDi2Lbj7*xbtsH5t}oVr zXzqU_UDHbR({BEp2nKV)(I1>Mh$^_>{BmnjaVvw{c04D%iR@^Sq#<8Xt;&zZ+^6T@ z0(i98nDQ)lx9d-7HD0WPr_wwBcn-;H=2H&Fa)()CGoI6=7zblQA{&=X{(5FUI@-=9 z;tjoYhg@7o;7!Kww={F=fe-$CC&J z9s%{NbTm)}G<(a;CvpOriqcLT?mZ&EdoKdRP-GKlz@@jO-K9?SEdtPrfMnR?`n!&1k&uD#-z=R&{pms;f?;_t)j7tg3FhX z$*oq6GPi1RTI}Q?@N!geS!zHV`Oo*1F5;;Dt|)hcxrw0w04N5g*w+==RRG<4#k{>w z_F|g1*nt;0l%C(rTMXnApN_r*>M`0_k}@ZCBRvBoV0JaiAZuZg8?Rbw>BFRnzdVJC ztk*|$X}nO_1{sW!BOOP(bq}XC0)Cc{fjPZ{8abbxzCT6wE5f@?8;m~u5JP*8PJvFb zd+F?2-E~3II0xg~7)J4DuYHsuO~Uwa_UA*+CiUBUa3z4chy~fG7+TblR)qnT2m)8B ztH%y#U`9h`@B0Qq){4rOJ-rB^TKdX{+H5j8CAYf_Ew;-|v&;5SW33sk4ukgfiCpKwY*gB)P%9=~kDA3jLquF% ziPW`U&#i6->}zQQ!m_1`^S#oRPUck#u?-4AQ~||Ci$JC1=zDSi0P~2U;*b}45h|({ zBs{e>R(hBkO@BEJ=37>M=}{s%u~cY_XpFBQf)OuPKgsK2>UVkA&vXz8b)Y}SXZm;J z=lx~;=D!=?Y4g9vN9q2%@z;H@6mv{J2NT~yAoukKO@T&fm+HoZI~KYRN`NdZAj_%M zd~{7j*fi3S&o4GcSI6B%QsXJ7CuI?o)L+V0IIP^lM;LNqMSV&qrEml3wYkW~R26@N)AX z2GrWxGI%|dirhY?BB_94r4&5Z80=&p+X|uI{xMq!0EuzPbi9v#wG{}O4 znXE5*ne#9e-EXcjl9^ixa|lxY6zA%l`v&|d_!Zy~!LjP4;>e2OHlpe4k!w{_4vhtE z-P`I@+Mb|aZCPjI2hX0*HOG>>i-_xUwF{O-%|qU&rWcEpy-mydi}d?U(eiDj>y`lb z2KRI7)-6M*g!*FLv>Lo9gxLg?HzBUL{8sP1(pdKMZk%jpLCIUCO^L;bEa3*RlHx>t z6D-!UI->-7CDmH|$*NLn1HpZuZZx1;M1O0J9hz{XP#$i}-V$acDvwae?%PRg@BNk~ z2xQ+2?%rxK>NAWPVKeK=YLqqyS>$V2S#?=YqU2{9_4-wF&1e}}8YsVzEnB$!Z7HFL8FC}Ee`lwkc#`4w^2t~@zsNgw#chx)d z0dlt%L|Tg=aP^|_a9n|VhDv7v`Q}N-;9wk-R$@hp&lnMsA+n7|xKJ)?Mp(tS^i zUUf`LT_TE54hIN3GLTyYas8P7WLs_I-u5<~B;(fKL*L-m^=xZf-IY3;d|>pi^NqtD zM4`-Fb#~-3*JC3#byfS&(hj5iLsrI3-wKS%UJFpwv@tvlz*<0$m0eT-i%BiGb~r%W zO-7nFXEz`PUVY4Q4Cv-eMJ`+m5qUm1%b|!v5oDl1qt5p-5jo~Uv;}r2CpQW!N~`Nj zin3v%iq;?yNUVq&;krhV%<==g68&8W%qf20W**Q91n|Dca~hzVB1_A<9H}U}9x2R6 zDDqXH1D1ngafLp&hvPtqsP~1vXnVzg;ik5&tzFQx{z{hMrr4=;KPx!hu`&)uy8Vde zAK(H3^+~FmG#-GGu;Uo5Oco~{Ie%1-b#7x7`aI&WfvNLvteE_n@3S+arLJ44&=c?zG%jV!7?if zb$kzHxPqZI2#zFXXj2amjwn1m^bXUEW&qH@vw2%Ay z?Kw_@`u70b^7$=oJQgP29~1+8nkQ2Y0?-kPu@Io!d7XsHw9zm1E3!zq0oweT!lhU9 zXeNqjYUN!n=le*&)ppdBSQlfF?L>>Ii)TM3H@#oX?HEF861~1zgum@~$Ib2QPdE<2 zEFGpzz_dajN|?3}devBTOLx6{rNWwmg%6#>X^~e8d?>{QxS%YLY$H&erp!0TvW&(O z0WQ!sm267@j2ibQ#@Wp+aN+^6`rIJ9e2f~b-xvd9`6kR}RBizKV*wy+ABytisO0x^ zXx~i}>yXOi;dI1CXWEbiEMEaaQkwD2?xNK9m9^ z5J(62$N0>@jeq+4Cb2)i|L;f^fc3rnKgI{B{=4x#y#F%(?~yD<|4E7cPGJ3Ys(BKo0iMY=GwJk85u8_0Az8|1s1V;lr-)qXn;+o;{`HmuK?0g-%AMhAw6=|jH zsB9o91t|ulo}#<4!e-U*9B%vvrJZRD$?uK?0Q~=SBv_`l8@@dWmA-3+ZBO>Ta_FM% zL2p+<^;!Pe`On`w|Gy^}Z9@K}*(~h;nPyYO{gX44{BsKzAOsY1SCrhJ{MjF3(7zIA zPyY}h5&q9a1OQ3Te-c;zm1yyML>eEMjp09uI@*8M$d~vxBKV&*{yS02_7Bl3?4Lx# zPhSKC0FLzkDG|x*4{^lnpF~@pKWn7>&y<({{EvUFarIw!&3yicSP1t|qSNMYq8sJ! zhx-3|GXFn_KbZdzBL@FT^zi;olp>z~pAvI^cRcWcacKUN=t=sUC_?<7OKASP>;DHq C-BJz! literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test new file mode 100644 index 0000000000..80a041c316 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) + { + print version, timestamp, signature_and_hashalgorithm; + } From a51ee9e1555381e252ea4c26066c67ce93b3ad4b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 10:43:45 -0800 Subject: [PATCH 047/147] Pull signed_certificate_timestamp into a separate pac file. That allows us to use the same code to parse the signed certificate timestamp X.509 extension in the X.509 file analyzer. --- .../protocol/ssl/tls-handshake-protocol.pac | 19 +-------------- ...handshake-signed_certificate_timestamp.pac | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 65da41e0db..1f3d418717 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -491,24 +491,7 @@ type SSLExtension(rec: HandshakeRecord) = record { }; } &length=data_len+4 &exportsourcedata; -type SignedCertificateTimestampList(rec: HandshakeRecord) = record { - length: uint16; - SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); -} &length=length+2; - -type SignedCertificateTimestamp(rec: HandshakeRecord) = record { - # before - framing - length: uint16; - # from here: SignedCertificateTimestamp - version: uint8; - logid: bytestring &length=32; - timestamp: uint64; - extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them - extensions: bytestring &length=extensions_length; - digitally_signed_algorithms: SignatureAndHashAlgorithm; - digitally_signed_signature_length: uint16; - digitally_signed_signature: bytestring &length=digitally_signed_signature_length; -} &length=length+2; +%include tls-handshake-signed_certificate_timestamp.pac type ServerNameHostName() = record { length: uint16; diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac new file mode 100644 index 0000000000..ad9b9d5651 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -0,0 +1,23 @@ +# We keep this extension separate, because it also can be included in X.509 certificates. +# If included there, it uses the exact same syntax and we just symlink it from the X.509 +# file analyzer tree. + +type SignedCertificateTimestampList(rec: HandshakeRecord) = record { + length: uint16; + SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); +} &length=length+2; + +type SignedCertificateTimestamp(rec: HandshakeRecord) = record { + # before - framing + length: uint16; + # from here: SignedCertificateTimestamp + version: uint8; + logid: bytestring &length=32; + timestamp: uint64; + extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them + extensions: bytestring &length=extensions_length; + digitally_signed_algorithms: SignatureAndHashAlgorithm; + digitally_signed_signature_length: uint16; + digitally_signed_signature: bytestring &length=digitally_signed_signature_length; +} &length=length+2; + From 5dd19f84a71ca37ebcaa9fbd3b4e6571c95fa329 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 13:31:21 -0800 Subject: [PATCH 048/147] Add parsing of signed certificate timestamps out of X.509 certs. This is a tiny bit evil because it uses parts of the SSL protocol analyzer in the X.509 certificate parser. Which is the fault of the protocol, which replicates the functionality. --- src/analyzer/protocol/ssl/CMakeLists.txt | 1 + .../protocol/ssl/tls-handshake-protocol.pac | 5 -- ...handshake-signed_certificate_timestamp.pac | 5 ++ .../analyzer/x509/CMakeLists.txt | 1 + src/file_analysis/analyzer/x509/X509.cc | 47 +++++++++++++++ src/file_analysis/analyzer/x509/X509.h | 1 + src/file_analysis/analyzer/x509/events.bif | 19 ++++++ .../analyzer/x509/x509-extension.pac | 54 ++++++++++++++++++ .../x509-signed_certificate_timestamp.pac | 1 + .../.stdout | 4 ++ .../Traces/tls/certificate-with-sct.pcap | Bin 0 -> 7584 bytes .../x509/signed_certificate_timestamp.test | 7 +++ 12 files changed, 140 insertions(+), 5 deletions(-) create mode 100644 src/file_analysis/analyzer/x509/x509-extension.pac create mode 120000 src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout create mode 100644 testing/btest/Traces/tls/certificate-with-sct.pcap create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 0f45aa1f32..14e41892c8 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz proc-client-hello.pac proc-server-hello.pac proc-certificate.pac + tls-handshake-signed_certificate_timestamp.pac ) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac proc-client-hello.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 1f3d418717..911ad96bd7 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -554,11 +554,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of { default -> other : bytestring &restofdata &transient; }; -type SignatureAndHashAlgorithm() = record { - HashAlgorithm: uint8; - SignatureAlgorithm: uint8; -} - type SignatureAlgorithm(rec: HandshakeRecord) = record { length: uint16; supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0); diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac index ad9b9d5651..f921db0790 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -2,6 +2,11 @@ # If included there, it uses the exact same syntax and we just symlink it from the X.509 # file analyzer tree. +type SignatureAndHashAlgorithm() = record { + HashAlgorithm: uint8; + SignatureAlgorithm: uint8; +} + type SignedCertificateTimestampList(rec: HandshakeRecord) = record { length: uint16; SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..9a2d936c57 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -7,4 +7,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro X509) bro_plugin_cc(X509.cc Plugin.cc) bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index da3c6635a8..e85bc5615d 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -4,6 +4,7 @@ #include "X509.h" #include "Event.h" +#include "x509-extension_pac.h" #include "events.bif.h" #include "types.bif.h" @@ -298,6 +299,52 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); + + else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + ParseSignedCertificateTimestamps(ex); + } + +void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) + { + // Ok, signed certificate timestamps are a bit of an odd case out; we don't + // want to use the (basically nonexistant) OpenSSL functionality to parse them. + // Instead we have our own, self-written binpac parser to parse just them, + // which we will initialize here and tear down immediately again. + + ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); + // the octet string of the extension contains the octet string which in turn + // contains the SCT. Obviously. + + unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); + unsigned char* ext_val_second_pointer = ext_val_copy; + memcpy(ext_val_copy, ext_val->data, ext_val->length); + + ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); + if ( !inner ) + { + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + return; + } + + binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); + binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); + + try + { + interp->NewData(inner->data, inner->data + inner->length); + } + catch( const binpac::Exception& e ) + { + // throw a warning or sth + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + } + + OPENSSL_free(ext_val_second_pointer); + + interp->FlowEOF(); + + delete interp; + delete conn; } void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c671c68a99..ca024ecf64 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -58,6 +58,7 @@ private: void ParseExtension(X509_EXTENSION* ex); void ParseBasicConstraints(X509_EXTENSION* ex); void ParseSAN(X509_EXTENSION* ex); + void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); std::string cert_data; diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index fcdeaa31d1..8b2e2aa525 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -55,3 +55,22 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## x509_parse x509_verify ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); + +## Generated for the signed_certificate_timestamp X509 extension as defined in +## :rfc:`6962`. The extension is used to transmit signed proofs that are +## used for Certificate Transparency. +## +## f: The file. +## +## version: the version of the protocol to which the SCT conforms. Always +## should be 0 (representing version 1) +## +## logid: 32 bit key id +## +## timestamp: the timestamp of the sct +## +## signature_and_hashalgorithm: signature and hash algorithm used for the +## digitally_signed struct +## +## signature: signature part of the digitally_signed struct +event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac new file mode 100644 index 0000000000..56ca27d909 --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -0,0 +1,54 @@ +# Binpac analyzer for X.509 extensions +# we just use it for the SignedCertificateTimestamp at the moment + +%include binpac.pac +%include bro.pac + +%extern{ +#include "types.bif.h" +#include "file_analysis/File.h" +#include "events.bif.h" +%} + +analyzer X509Extension withcontext { + connection: MockConnection; + flow: SignedCertTimestampExt; +}; + +connection MockConnection(bro_analyzer: BroFileAnalyzer) { + upflow = SignedCertTimestampExt; + downflow = SignedCertTimestampExt; +}; + +%include x509-signed_certificate_timestamp.pac + +# The base record +type HandshakeRecord() = record { + signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient; +} &byteorder = bigendian; + +flow SignedCertTimestampExt { + flowunit = HandshakeRecord withcontext(connection, this); +}; + +refine connection MockConnection += { + + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool + %{ + BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), + bro_analyzer()->GetFile()->GetVal()->Ref(), + version, + new StringVal(logid.length(), reinterpret_cast(logid.begin())), + ((double)timestamp)/1000, + digitally_signed_algorithms->HashAlgorithm(), + digitally_signed_algorithms->SignatureAlgorithm(), + new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) + ); + + return true; + %} +}; + +refine typeattr SignedCertificateTimestamp += &let { + proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature); +}; diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac new file mode 120000 index 0000000000..88305ed8fd --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac @@ -0,0 +1 @@ +../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout new file mode 100644 index 0000000000..4b81b287a6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -0,0 +1,4 @@ +0, 1474927230.876, 4, 3 +0, 1474927232.863, 4, 3 +0, 1474927232.112, 4, 3 +0, 1474927232.304, 4, 3 diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0b6c1b166e608e97f24de3a487a37ff3abe69499 GIT binary patch literal 7584 zcmbVR30O?+`+m>NG^J(Q7cCmJNy}+pXw@R6P|+go%V?WwDk^EyLP?8CXps_92t~=X z5UE5vLW*b+LTUY^1NI0F06E=l~+I0|^oPWUB9J)X)K405o0gG=V05YM5GxcXt~;=l&`IstCHG{|G(# za?RY_kU0Pt9L+Tdi=}}eI(j{k*m(394zqyXDar`8Aaisq;4avhN8gAT0CITpb`%-4 z09Cw7Xzb$YMJ%-B?C>ED1uUTBFm&`g9Naijbi@)K^_x?S5ojZ*==j5L`8A@b-&(TE z{BA+eUx%@iuXCkQ=XL?KN50i|C6Zv4giX%FjayoMiruRQ0YNF z$OE|`8@PkLfCSut3Qz`0KoP`(7!VB(QDv!8RB@^Zm6=KdP6IWd0HUbU)b&(R>RKv0 zbp<#J&VU?{1zeHvY5;X02V{W^fI%iW0Wv^3a$|MCCZJ7~p-NKMQH7}lDh`|i8-X-P z16qKV%1WiBGEy;s2H>b{R64)~*Z~V*qB2pjfF8_Ykob5ZA>u@S1}uSrfl?kM5Bor8 z4~mqRGX*dJ92P(r3AvAu68A{Q15^e{+5VzE(bPl)@K zYtqZNt5?qEwDqny`o#g-ojG(lq2#{Xk+d>El?F&WkiR)3L%`3Fp&>yp7lC4{X8>%q zfQ<_9=imr@9vne)BxgP(EXvjX^7IpDTGr%AwD=FTe1n5CaW>&1D$i z6?m*U4$qF+WGurA^Pm%YcGg|qrX*J{;wCMk5y_K8adwgshsDriSoYPwj_LV2I}=S! zjfk6^eJLatlA}GvnW!%dui|EsQG``w6=h{)U^!(gWUBJp6c+l;thuQSC(J$%&B*wB zcEAzPn&16}XaF_>Vg|_X^q2?;0vG)TDq|Up@6Rcy6y?h?c6m+@e82hVFm1pAC-qZ9 zGx{QF+&=s4o$9EHR*xE~pAzbswVAzJgRMKWp3qO!$C@eQp3>}9e}C>ajnZZYl>uG? zCE3a9U_s}gzD>z)m0IsFO_SQ#$15-4=)JwInVL2oeXe?_=4MB2Up}QMwN1>pvY1S` zVxoWF#y`4>Ldc(nw-%Y(c6V*PCF)aS+PW`g1T(WPlN+kH1$PR*|vi zi@V6Ti`VGk3%wm&m)ZpLE1fRZ>XXl~mQ9YjrZ~03M@V$o2)M_D8hToZeeQun!E>ML z7CD!lcSTFmlfSwoxXSAKqVlR_x0hYu{mLJ-ae_J-vb=P(p4=0>5ARi&l9 z9sS5MQi0xnNLEQXdV5Mc+AB)?Ir|1U`^reWAZY|E{al5KUjJj2J;{FgBB>vXq|ilD zj?TWY8tR`QP7#)eWpm&hsc4BGs~vqk{FX15{IOheVY#md%#AK*#j(JIh^6Ugf*v5^ zHp6-_9Uku*&In;3SQXEJ1QQ2EoZJpU74L(9s4l|cSS(`$an?40REt7NML;slSu*bNcg32H*%=d(bG`-?$`u1*1Dz}!&Qw4 zf9!ILJa`I`ON2UL9Sl)@vtIZ&zDFEs2ibL3**-CA5{k^2+zj@33H8?77&PRnHF-$|3y$fh(jjI)7~U@PZ??PDt4$KT*qh~&#~f;V z*|#ea)CI={70x_dFdJk0%j{}DSIzz6PV7ReeU;-^Ge0@SXf}#7MDovlo~{&i;4{Jy z4Zd}|R0Ezh6Oc2rc71yDo3_69)tg64)eq!4sZJ<0f&k$5En`B^DWXa>{=-c%0i$W3 z?KZ9{Z90$XU5hGAOs47<%tj$HiCnEdtcxM~5-qB;PJB(AQ|x@Fl0s{7XVXc!kh|wa zV_i16e+#X>fmsdWb~V%3`gN)4KcjK>+#D5}MKX$@Ci)GH~DdUY7R-HWBVKJ!e_4dk9{%i!y)Mzcc^%JoA?=W&Tx%7quj* z4Z%c;okcCd5E)B^I+S|+2hzEgyU zCRVxO5_?qZC1tg#RpllVS9}6)`fbe({hbvN7DreS0xeIU^o)LT$%wMmP^UO0Tlg1+ z8Z=ON_-7Qj_Zq%WVK^*tIL}*BXlqz_O*Ea1;&{s#iTgoi-{Gwx*!|YyaV2{q^`_tC z)=G{D#+QbNkxCRqeaR{=vw;I#Y~_L!S(TNkqa)#?#reT6tGcW7jyB)*k(%ysvZuZ1 z%xTNjHB;1tjW#=GraQC~T#Yb$9);PEX0XBgl}y-sTY48i1JV4mylMLCw2p1+(zBIW zTfXo$tFB>+o0@5OckRg7^(moxxosrnR_Oq|{y3er=N^ z(Y#^33Y!dtX<5|%H|_f+bR=&tqLx3!&D)nm*-!L#Auh<`y!Oc>vZoBg3d#zo_Q|UJ zHvQks{@YKAfi+uOv=wyTS7aB_?G4siz?Pkb{f)D^vy|8Tw1 zh-K{#Ba;{Mr#_cGp0s%Q#v#jGZ+F?<1Z5$G(R7IrXBMW>>~y;JH>GSr$vv~N%!y}9 zZr|-t9M|G|XW0`yr*LPa|8Y)=*Y?5_4`23F`NY;fz2e*$e7w#jvC0^K@T6(H`^M&U zkqAL<_?E`~7mWKg1FWKxo)^saQhz{}M|!R0`NpZKZ?p$Olr^!tjFZtb;{i;heQO ztD^<~S$1Tk5G{gz7o`HxNf+1&7G0bpI?4BA@n3XO23GlbA|_h$$BBPRql~NUGIc}5 zalQ(e*Y>|k_wU-?>+*>3_*1E28J@^78^hNAZFWi>)?W}oO;{b?h-X@qK0H!xL;pYV zTUvNxBajfLS-nh4;&wY`BYjPlGYpGmc+X$v=kc^~GPS2iU4Fe(Sc=DFfom&YP=r=< z)||%Z)yTbB)3P%QI*3as z`=f}bT>iC-n3&g+8%woBNOn<6T=JG`$r&EuyykC$c0HUgh@57$ z(`uOY4IU16a>z`SDG3%2Oo- z-seW3HxiB9mW00-JTZAvWJH4CTJG^iBE!=*NUSz$BbI6WHMTdk#zJ&rYq+KKrx5!G zyKHVhKNZ&E^fDx7-=VjuN61HL^!x7z1H2v5QtgH#a5@XJLc6l&5d40F;&L@P@LNk` zU?hW<-SeFklPSgCm$J#*lW0V7l9E9SM&x$}_BE!?j{d&RL>-bViDK`uq=Q0RFOrw5 z48kqw$yj#cPmq7mA5?W&YxYeaT~S_msI&2Sx*?@2EA%7iC&U#Si0SaMoRDP}jx{~YRLaao z$Hjp45#>MF`|Qb#t6Lq74L!kz+}V|$Q)#M|nUwG)OVK4LbZ7N3+qYNTh>B<9g(M{O z87u=_;OkW{MiM7Zw^l&#+s|W!R}#r#V~4(r9lmBJl{qpVFwN=4HMGTJNQy17?a?e_ z{cZt< zy{oNAV`EbSWR>G%=e!ES<8ou~Zt!Wy+wmc?VkRf>OTYJk_A}2dCl1SRuH=5+A4a$4 z#%CF-22On_o4CKD9Pi|Wk?B0&v|}ntm$U+iKQ}*8hu1TtZV^~vts*va{$exuF16WE zF_5Ff-VWn=`%(U8~>e3>ri-rG`QOw_!cwVsnsz<*ImNCO9?^#Xjd~Q+<+#v6^sYR>! zGfZ04Nt6L7;ESu*k9R9(j%%mOa`|5Uo z$Tk!B(D!K%{J@}BR+Ryi#?2>!)9}Wk&Q$?C9HuM+pRx>`B{Q`!0FT7N1n0yHb0r8f-B!^oQHvZo*0XMf4@bdzli2V92B37F^FU}Pl%^qF66{b+zvYghij)G&ky)Hd|3+2D z6+1OmuYaj=W4!)-N7IMX6B*O{1}yXw`TZsUUu1E*-Mv4Fsa6s zjzRZ_S}pk%o}{cIJ4YOR_Gs$<2{yZ09dFez!_KPJ7dV2P9`-10(zTYA(*4+NDd^7g zG333u;!1nl>jyq1+>Y({H_Ye}z1$zABW@qHizb3q@PdNH7?Dt7IXY?X>&qn4a?;eG zs98zM*?#WZFyG*}PX(=yuLoBtd|6XnnE>5(+Y`woJ>2oskx}%qnR7^e)63OEvsrZ zyOHdQa?g{^=l61Hgbw0AA$x+*Rz?6BU;(!lu0ZvrbK7P4SxXG@qtC2In#l8;?^hpq zX7ak8z9)sDtRS8@NlSG`?R?htoLk1141C-D?KlSg+U+%^V6%JURcT1U3#?YQVN%`8 zqE^xC%{)`CXXLfZ)5KQYzJ2ayIm?OeE$;pzn4)s=_~BFRA2*%d5Xdk&WnJC-&DZ&Q zBV0$-afzKyjUB>MdLg>aPkIZ4WhScg za=Pp#g}MbaSTu6ided?T;f8DcSg*Yw9*Xym2{PEvD%hKQ;a#_8-!os1M6V0s88*Ei z6+Xj{vUgt1ekRnjL%GPG!{d(dlyD1ucqbt}wWaLqc_vcU^$j<;$0JRYEkC=}PzXs) zms(Al4@{q~sT#IUcQoANa&+>(_gwgh-xcdK_xLYf*{>)eH<1~B{9=e~O3E0zVT&Um zTdwG{+=)EP=&J;D{8<+!o1t~#W89y0p`;m77v6B8`&kzjFV=;O!Hj^4fT3dsBl^nFma zNM=dD@!mMe5B`oLzWrhLM}r(atjQ<1UPG2nuYHBnI-W^ot8NozOr6rRXE9vs%7I+> z{2nt9gF!|9#oVW?jl1I9Ze-EYZu`)HZS_8$b<%t@6aPVQ=V80c%d zK~H~=(8}`Bxh>I}-|GnDqnBHQbX9y9r_Y3h3mn!Bq|vR|cSzXw=tHI|Zta!?)+%wE zQ%9SOgVlUW&SJ6z%Uh$G{gh%=LU=kYBtipfGx^{UqM~(_D%es?|T~a%dtQ&Wd z{h1?GNR9|>LlB+T(F1!V;n49%)|sxELJ>99{)&iXT|wz0Vmv?*Igz`>`y)x%?%%Z} zt;1x0ojB)T+vl62Q{RUgTrWZYFAokKJ8IBcZ<)bc^OwNN0_^IS8blHAZuy0{EYXk_ zjf`9Z@}kFPX`)H(L=x>*7%SA_C9r^qxc^B{Bp#rM?1sM(mjwkud>n!LnAGtXA9sbZ oGSAr#{q&IzMMV)ye?$C>kJIx$?q25OF2u(Q^ktM6|56|S51>yUasU7T literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test new file mode 100644 index 0000000000..63be26448f --- /dev/null +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) + { + print version, timestamp, hash_algorithm, signature_algorithm; + } From 2d64b4539466e1c52d4cc303712a02dbae03388a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 16:05:47 -0800 Subject: [PATCH 049/147] X509: make SCT parsing work with older OpenSSL versions --- src/file_analysis/analyzer/x509/X509.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index e85bc5615d..1189e55eaa 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -300,7 +300,11 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); +#ifdef NID_ct_cert_scts else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif ParseSignedCertificateTimestamps(ex); } From c670613996435d7e833eec724a77c91a8b3f0969 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 8 Feb 2017 10:57:30 -0800 Subject: [PATCH 050/147] Make OCSP analyzer part of the X.509 analyzer This allows the easier integration of shared functionality. And it also makes logical sense, given that OCSP is not interesting without X.509. --- scripts/base/files/ocsp/README | 1 - scripts/base/files/ocsp/__load__.bro | 1 - scripts/base/files/x509/README | 1 + .../files/{ocsp/main.bro => x509/ocsp.bro} | 2 ++ scripts/base/init-default.bro | 1 - .../policy/protocols/ssl/validate-ocsp.bro | 2 +- src/file_analysis/analyzer/CMakeLists.txt | 1 - .../analyzer/ocsp/CMakeLists.txt | 10 -------- src/file_analysis/analyzer/ocsp/Plugin.cc | 25 ------------------- .../analyzer/x509/CMakeLists.txt | 4 +-- .../analyzer/{ocsp => x509}/OCSP.cc | 4 +-- .../analyzer/{ocsp => x509}/OCSP.h | 0 src/file_analysis/analyzer/x509/Plugin.cc | 4 ++- .../{ocsp/events.bif => x509/ocsp_events.bif} | 0 .../functions.bif => x509/ocsp_functions.bif} | 4 +-- .../{ocsp/types.bif => x509/ocsp_types.bif} | 0 16 files changed, 13 insertions(+), 47 deletions(-) delete mode 100644 scripts/base/files/ocsp/README delete mode 100644 scripts/base/files/ocsp/__load__.bro rename scripts/base/files/{ocsp/main.bro => x509/ocsp.bro} (99%) delete mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt delete mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.cc (99%) rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.h (100%) rename src/file_analysis/analyzer/{ocsp/events.bif => x509/ocsp_events.bif} (100%) rename src/file_analysis/analyzer/{ocsp/functions.bif => x509/ocsp_functions.bif} (95%) rename src/file_analysis/analyzer/{ocsp/types.bif => x509/ocsp_types.bif} (100%) diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README deleted file mode 100644 index beabe8a3fc..0000000000 --- a/scripts/base/files/ocsp/README +++ /dev/null @@ -1 +0,0 @@ -Support for ocsp file analysis framework. diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro deleted file mode 100644 index d551be57d3..0000000000 --- a/scripts/base/files/ocsp/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./main \ No newline at end of file diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README index 8b50366cd2..b523eb4fc4 100644 --- a/scripts/base/files/x509/README +++ b/scripts/base/files/x509/README @@ -1 +1,2 @@ Support for X509 certificates with the file analysis framework. +Also supposrts OCSP requests and responses. diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/x509/ocsp.bro similarity index 99% rename from scripts/base/files/ocsp/main.bro rename to scripts/base/files/x509/ocsp.bro index 3474e3a797..4a4836eee5 100644 --- a/scripts/base/files/ocsp/main.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -2,6 +2,8 @@ @load base/utils/paths @load base/utils/queue +# Note - this needs some cleaning up and is currently not loaded by default. + module OCSP; export { diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 82379ec31c..65b41305c7 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -77,7 +77,6 @@ @load base/files/extract @load base/files/unified2 @load base/files/x509 -@load base/files/ocsp @load base/misc/find-checksum-offloading @load base/misc/find-filtered-trace diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 6667d9fbae..8f0da3ef2f 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,4 @@ -##! Perform OCSP response validation. +##! Perform validation of stapled OCSP responses. @load base/frameworks/notice @load base/protocols/ssl diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index 9296f4e6de..ef17247997 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -5,4 +5,3 @@ add_subdirectory(hash) add_subdirectory(pe) add_subdirectory(unified2) add_subdirectory(x509) -add_subdirectory(ocsp) \ No newline at end of file diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt deleted file mode 100644 index 12c54c1c84..0000000000 --- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt +++ /dev/null @@ -1,10 +0,0 @@ - -include(BroPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_BINARY_DIR}) - -bro_plugin_begin(Bro OCSP) -bro_plugin_cc(OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) -bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc deleted file mode 100644 index f7edbd1d6d..0000000000 --- a/src/file_analysis/analyzer/ocsp/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "OCSP.h" - -namespace plugin { -namespace Bro_OCSP { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); - - plugin::Configuration config; - config.name = "Bro::OCSP"; - config.description = "OCSP analyzer"; - return config; - } -} plugin; - -} -} diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..e95b4ae6e6 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro X509) -bro_plugin_cc(X509.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) +bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc similarity index 99% rename from src/file_analysis/analyzer/ocsp/OCSP.cc rename to src/file_analysis/analyzer/x509/OCSP.cc index d54f1f345b..926f30cf37 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -5,8 +5,8 @@ #include "OCSP.h" #include "Event.h" -#include "events.bif.h" -#include "types.bif.h" +#include "ocsp_events.bif.h" +#include "ocsp_types.bif.h" #include "file_analysis/Manager.h" diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h similarity index 100% rename from src/file_analysis/analyzer/ocsp/OCSP.h rename to src/file_analysis/analyzer/x509/OCSP.h diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index d9d1b71ab4..5a0b67136a 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -4,6 +4,7 @@ #include "plugin/Plugin.h" #include "X509.h" +#include "OCSP.h" namespace plugin { namespace Bro_X509 { @@ -13,10 +14,11 @@ public: plugin::Configuration Configure() { AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); + AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); plugin::Configuration config; config.name = "Bro::X509"; - config.description = "X509 analyzer"; + config.description = "X509 and OCSP analyzer"; return config; } } plugin; diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/events.bif rename to src/file_analysis/analyzer/x509/ocsp_events.bif diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif similarity index 95% rename from src/file_analysis/analyzer/ocsp/functions.bif rename to src/file_analysis/analyzer/x509/ocsp_functions.bif index 164b4a63ec..a5f31f9411 100644 --- a/src/file_analysis/analyzer/ocsp/functions.bif +++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif @@ -1,6 +1,6 @@ %%{ -#include "file_analysis/analyzer/ocsp/OCSP.h" -#include "types.bif.h" +#include "file_analysis/analyzer/x509/OCSP.h" +#include "ocsp_types.bif.h" %%} ## Parses a OCSP response into an OCSP::Response structure. diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif similarity index 100% rename from src/file_analysis/analyzer/ocsp/types.bif rename to src/file_analysis/analyzer/x509/ocsp_types.bif From b021fe75623a55148c8aab94d7f4c43693bf3350 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 8 Feb 2017 16:24:52 -0800 Subject: [PATCH 051/147] Rewrite of big parts of the OCSP analyzer. Less redundancy, style closer to the X.509 analyzer, times being parsed as real times, and lots of other changes. --- scripts/base/files/x509/__load__.bro | 1 + scripts/base/files/x509/ocsp.bro | 7 +- scripts/base/init-bare.bro | 29 +- src/file_analysis/analyzer/x509/Asn1Time.h | 157 +++++ src/file_analysis/analyzer/x509/OCSP.cc | 596 +++++------------- src/file_analysis/analyzer/x509/OCSP.h | 4 +- src/file_analysis/analyzer/x509/X509.cc | 164 +---- src/file_analysis/analyzer/x509/X509.h | 1 - .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 8 +- .../ocsp.log | 14 +- 13 files changed, 376 insertions(+), 629 deletions(-) create mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index a10fe855df..15c5754b1f 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1 +1,2 @@ @load ./main +@load ./ocsp diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index 4a4836eee5..f417cd6113 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -1,3 +1,4 @@ +@load base/protocols/http @load base/frameworks/files @load base/utils/paths @load base/utils/queue @@ -68,7 +69,7 @@ export { ## responderID responderID: string &log &optional; ## producedAt - producedAt: string &log &optional; + producedAt: time &log &optional; ## certificates certs: vector of opaque of x509 &optional; @@ -85,9 +86,9 @@ export { ## certStatus (this is the response to look at) certStatus: string &log &optional; ## thisUpdate - thisUpdate: string &log &optional; + thisUpdate: time &log &optional; ## nextUpdate - nextUpdate: string &log &optional; + nextUpdate: time &log &optional; }; type Info: record { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e73e1ec849..d31bf8f0b6 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3651,49 +3651,52 @@ export { issuerNameHash: string &log; issuerKeyHash: string &log; serialNumber: string &log; - #RequestExtensions: xxx }; + type Request: record { version: count &log &optional; requestorName: string &log &optional; requestList: vector of OneReq; - #requestExtensions: xxx - }; + }; + type SingleResp: record { hashAlgorithm: string &log; issuerNameHash: string &log; issuerKeyHash: string &log; serialNumber: string &log; certStatus: string &log; - thisUpdate: string &log; - nextUpdate: string &log &optional; - #Extensions: xxx + revoketime: time &log &optional; + revokereason: string &log &optional; + thisUpdate: time &log; + nextUpdate: time &log &optional; }; + type Response: record { responseStatus: string &log; - responseType: string &log; - version: count &log; - responderID: string &log; - producedAt: string &log; + responseType: string &log &optional; + version: count &log &optional; + responderID: string &log &optional; + producedAt: time &log &optional; responses: vector of SingleResp; - #responseExtensions:xxx signatureAlgorithm: string &log &optional; - signature: string &optional; #&log; + #signature: string &optional; #&log; certs: vector of opaque of x509 &optional; }; + type CertId: record { hashAlgorithm: string &log &optional; issuerNameHash: string &log &optional; issuerKeyHash: string &log &optional; serialNumber: string &log &optional; }; + } module GLOBAL; type ocsp_req_vec: vector of OCSP::OneReq; type ocsp_resp_vec: vector of OCSP::SingleResp; - + module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h new file mode 100644 index 0000000000..31013ec2a7 --- /dev/null +++ b/src/file_analysis/analyzer/x509/Asn1Time.h @@ -0,0 +1,157 @@ +static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) + { + const char *fid = arg_fid ? arg_fid : ""; + time_t lResult = 0; + + char lBuffer[26]; + char* pBuffer = lBuffer; + + const char *pString = (const char *) atime->data; + unsigned int remaining = atime->length; + + if ( atime->type == V_ASN1_UTCTIME ) + { + if ( remaining < 11 || remaining > 17 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + return 0; + } + + if ( pString[remaining-1] != 'Z' ) + { + // not valid according to RFC 2459 4.1.2.5.1 + reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + return 0; + } + + // year is first two digits in YY format. Buffer expects YYYY format. + if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 + { + *(pBuffer++) = '2'; + *(pBuffer++) = '0'; + } + else + { + *(pBuffer++) = '1'; + *(pBuffer++) = '9'; + } + + memcpy(pBuffer, pString, 10); + pBuffer += 10; + pString += 10; + remaining -= 10; + } + else if ( atime->type == V_ASN1_GENERALIZEDTIME ) + { + // generalized time. We apparently ignore the YYYYMMDDHH case + // for now and assume we always have minutes and seconds. + // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 + + if ( remaining < 12 || remaining > 23 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + return 0; + } + + memcpy(pBuffer, pString, 12); + pBuffer += 12; + pString += 12; + remaining -= 12; + } + else + { + reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + return 0; + } + + if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) + { + *(pBuffer++) = '0'; + *(pBuffer++) = '0'; + } + + else if ( remaining >= 2 ) + { + *(pBuffer++) = *(pString++); + *(pBuffer++) = *(pString++); + + remaining -= 2; + + // Skip any fractional seconds... + if ( (remaining > 0) && (*pString == '.') ) + { + pString++; + remaining--; + + while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) + { + pString++; + remaining--; + } + } + } + + else + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + return 0; + } + + *(pBuffer++) = 'Z'; + *(pBuffer++) = '\0'; + + time_t lSecondsFromUTC; + + if ( remaining == 0 || *pString == 'Z' ) + lSecondsFromUTC = 0; + else + { + if ( remaining < 5 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + return 0; + } + + if ((*pString != '+') && (*pString != '-')) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + return 0; + } + + lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; + lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); + + if (*pString == '-') + lSecondsFromUTC = -lSecondsFromUTC; + } + + tm lTime; + lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); + lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; + lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); + + if ( lTime.tm_year > 1900) + lTime.tm_year -= 1900; + + lTime.tm_wday = 0; + lTime.tm_yday = 0; + lTime.tm_isdst = 0; // No DST adjustment requested + + lResult = mktime(&lTime); + + if ( lResult ) + { + if ( lTime.tm_isdst != 0 ) + lResult -= 3600; // mktime may adjust for DST (OS dependent) + + lResult += lSecondsFromUTC; + } + + else + lResult = 0; + + return lResult; +} diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 926f30cf37..c7747f54ce 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -15,6 +15,9 @@ #include #include +#include "file_analysis/analyzer/x509/X509.h" +#include "Asn1Time.h" + // helper function of sk_X509_value to avoid namespace problem // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) // X509 => file_analysis::X509 @@ -23,8 +26,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) return sk_X509_value(certs, i); } -#include "file_analysis/analyzer/x509/X509.h" - using namespace file_analysis; IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); @@ -32,213 +33,59 @@ IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); #define OCSP_STRING_BUF_SIZE 2048 -//this function is copied from src/file_analysis/analyzer/extract/Extract.cc -static Val* get_extract_field_val(RecordVal* args, const char* name) +static Val* get_ocsp_type(RecordVal* args, const char* name) { Val* rval = args->Lookup(name); + if ( ! rval ) reporter->Error("File extraction analyzer missing arg field: %s", name); + return rval; } -//convert different ANS1 type to c string -static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type) +static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio) { - if (data == NULL || buf == NULL || buf_len <=0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); - - if (type == V_ASN1_OCTET_STRING) - { - if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0) - goto err; - } - else if (type == V_ASN1_BIT_STRING) - { - if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0) - goto err; - } - else if (type == V_ASN1_INTEGER) - { - // NOTE: this will print the hex number - // wireshark may display decimal number - if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) - goto err; - } - else if (type == V_ASN1_OBJECT) - { - if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0) - goto err; - } - else if (type == V_ASN1_GENERALIZEDTIME) - { - // TODO: convert ASN1_GENERALIZEDTIME to epoch time? - // new API: ASN1_TIME_diff() requires openssl 1.0.2 - // epoch time might be better for post processing - - // NOTE: this is for human readable time format - //if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data)) - // goto err; - - // NOTE: this is printing the raw string which is also understandable - // since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now? - ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data; - BIO_write(bio, tmp->data, tmp->length); - } - - else - goto err; - - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; - } - -//ANS1 OCTET string to c string -static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING); - } - -//ANS1 BIT string to c string -static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING); - } - -//ANS1 integer to c string -static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER); - } - -//ANS1 object to c string -static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT); - } - -//ASN1_GENERALIZEDTIME to c string -static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data) - { - return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME); - } - -//CENERAL XXX to c string -static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data) - { - if (data == NULL || buf == NULL || buf_len <= 0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); - if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0) - goto err; - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; - } - -//OCSP respond id to c string -static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id) - { - if (resp_id == NULL || buf == NULL || buf_len <= 0) - return -1; - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - memset(buf, 0, buf_len); if (resp_id->type == V_OCSP_RESPID_NAME) - { - if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0) - goto err; - } + X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE); else if (resp_id->type == V_OCSP_RESPID_KEY) - { - if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0) - goto err; - } - else - goto err; - new_len = BIO_read(bio, buf, buf_len); -err: - BIO_free_all(bio); - return new_len; + i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING); } -//print out a cert id for debug -static void ocsp_print_cert_id(OCSP_CERTID *cid) +static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio) { - if (cid == NULL) - return; + RecordVal *d = new RecordVal(type); char buf[OCSP_STRING_BUF_SIZE]; - int len = sizeof(buf); - memset(buf, 0, len); - int new_len = -1; - - //print hashAlgorithm - new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm)); - StringVal hashAlgorithm = StringVal(new_len, buf); - printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString()); + memset(buf, 0, sizeof(buf)); - //print issuerNameHash - new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash)); - StringVal issuerNameHash = StringVal(new_len, buf); - printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString()); + i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm); + int len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(0, new StringVal(len, buf)); + BIO_reset(bio); - //print issuerKeyHash - new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); - StringVal issuerKeyHash = StringVal(new_len, buf); - printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); + i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING); + len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); - //print serialNumber - new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber)); - StringVal serialNumber = StringVal(new_len, buf); - printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); - } + i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING); + len = BIO_read(bio, buf, sizeof(buf)); + d->Assign(2, new StringVal(len, buf)); + BIO_reset(bio); -//fill in cert id -static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d) - { - if (d == NULL || cert_id == NULL) - return; - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); + i2a_ASN1_INTEGER(bio, cert_id->serialNumber); + d->Assign(3, new StringVal(len, buf)); + BIO_reset(bio); - //hashAlgorithm - int len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm)); - if (len > 0) - d->Assign(0, new StringVal(len, buf)); - - //issuerNameHash - len = -1; - len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash)); - if (len > 0) - d->Assign(1, new StringVal(len, buf)); - - //issuerKeyHash - len = -1; - len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); - if (len > 0) - d->Assign(2, new StringVal(len, buf)); - - //serialNumber - len = -1; - len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber)); - if (len > 0) - d->Assign(3, new StringVal(len, buf)); + return d; } file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) { - Val* ocsp_type = get_extract_field_val(args, "ocsp_type"); - if (! ocsp_type ) + Val* ocsp_type = get_ocsp_type(args, "ocsp_type"); + + if (! ocsp_type ) return 0; + return new OCSP(args, file, ocsp_type->AsString()->CheckString()); } @@ -260,328 +107,223 @@ bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len) return false; } -// parse OCSP request or response and send data to bro scriptland +// we parse the entire OCSP response in EOF, because we just pass it on +// to OpenSSL. bool file_analysis::OCSP::EndOfFile() { - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); - + if (ocsp_type == "request") { - req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); + if (!req) { reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); - goto ocsp_cleanup; - } - - //parse request into record - OCSP_REQVal* req_val = new OCSP_REQVal(req); - RecordVal* req_record = ParseRequest(req_val); - if (!req_record) - { - reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); - Unref(req_val); - goto ocsp_cleanup; + return false; } + OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership + + RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str()); + // and send the record on to scriptland val_list* vl = new val_list(); vl->append(GetFile()->GetVal()->Ref()); - vl->append(req_val->Ref()); - vl->append(req_record->Ref()); - mgr.QueueEvent(ocsp_request, vl); - - Unref(req_val); - Unref(req_record); + vl->append(req_val); + vl->append(req_record); + mgr.QueueEvent(ocsp_request, vl); } else if (ocsp_type == "response") { - resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); + OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); if (!resp) { reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); - goto ocsp_cleanup; - } - - //parse request into record - OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); - RecordVal* resp_record = ParseResponse(resp_val); - if (!resp_record) - { - reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); - Unref(resp_val); - goto ocsp_cleanup; + return false; } + OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership + RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str()); + // and send the record on to scriptland val_list* vl = new val_list(); vl->append(GetFile()->GetVal()->Ref()); - vl->append(resp_val->Ref()); - vl->append(resp_record->Ref()); + vl->append(resp_val); + vl->append(resp_record); mgr.QueueEvent(ocsp_response, vl); - - Unref(resp_val); - Unref(resp_record); } else + { reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); -ocsp_cleanup: - //if (resp) - // OCSP_RESPONSE_free(resp); - //if (req) - // OCSP_REQUEST_free(req); - return false; + return false; + } + + return true; } -// parse OCSP request and trigger event -RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val) +RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid) { - if (req_val == NULL) - return NULL; - OCSP_REQUEST *req = NULL; - OCSP_ONEREQ *one_req = NULL; - OCSP_CERTID *cert_id = NULL; - OCSP_REQINFO *inf = NULL; - //OCSP_SIGNATURE *sig = NULL; + OCSP_REQUEST *req = req_val->GetReq(); + OCSP_REQINFO *inf = req->tbsRequest; - RecordVal* ocsp_req_record = NULL; - VectorVal* all_req_bro = NULL; - - int req_count = -1, i = -1, len = -1; - long version = -1; + char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions + memset(buf, 0, sizeof(buf)); - req = req_val->GetReq(); - if (req == NULL) - return NULL; - - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); - - inf = req->tbsRequest; - //sig = req->optionalSignature; - if (inf == NULL) - return NULL; + RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - if (!ocsp_req_record) - { - reporter->Error("Cannot create OCSP request structure: Internal memory error"); - return NULL; - } + ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); + BIO *bio = BIO_new(BIO_s_mem()); - //version - version = ASN1_INTEGER_get(inf->version); - if (version != -1) - ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT)); - - //requestorName if (inf->requestorName != NULL) { - len = -1; - len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName)); - if (len > 0) - ocsp_req_record->Assign(1, new StringVal(len, buf)); + GENERAL_NAME_print(bio, inf->requestorName); + int len = BIO_read(bio, buf, sizeof(buf)); + ocsp_req_record->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); } - - //deal with details of the request - req_count = OCSP_request_onereq_count(req); - if (req_count <= 0) - goto clean_up; - for (i=0; iAsVectorType()); - RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq); - ocsp_fill_cert_id(cert_id, one_req_bro); - all_req_bro->Assign(all_req_bro->Size(), one_req_bro); + VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); + ocsp_req_record->Assign(2, all_req_bro); + + int req_count = OCSP_request_onereq_count(req); + for ( int i=0; iAssign(i, one_req_bro); } - - if (all_req_bro != NULL) - ocsp_req_record->Assign(2, all_req_bro); -clean_up: + + BIO_free(bio); + return ocsp_req_record; } -// parse OCSP response and trigger event -RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) +RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) { - if (resp_val == NULL) - return NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_RESPBYTES *resp_bytes = NULL; - OCSP_CERTID *cert_id = NULL; - OCSP_BASICRESP *basic_resp = NULL; - OCSP_RESPDATA *resp_data = NULL; - OCSP_RESPID *resp_id = NULL; - OCSP_SINGLERESP *single_resp = NULL; - OCSP_REVOKEDINFO *revoked_info = NULL; - OCSP_CERTSTATUS *cert_status = NULL; + OCSP_RESPONSE *resp = resp_val->GetResp(); + OCSP_RESPBYTES *resp_bytes = resp->responseBytes; + OCSP_BASICRESP *basic_resp = nullptr; + OCSP_RESPDATA *resp_data = nullptr; + OCSP_RESPID *resp_id = nullptr; - RecordVal *ocsp_resp_record = NULL; - VectorVal *all_resp_bro = NULL; - - int resp_count = -1, status = -1, i = -1, len = -1; - long version = -1; - - resp = resp_val->GetResp(); - if (resp == NULL) - return NULL; + int resp_count = 0; + VectorVal *all_resp_bro = nullptr; - char buf[OCSP_STRING_BUF_SIZE]; - int buf_len = sizeof(buf); - memset(buf, 0, buf_len); + char buf[OCSP_STRING_BUF_SIZE]; + memset(buf, 0, sizeof(buf)); - ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); - if (!ocsp_resp_record) - { - reporter->Error("Cannot create OCSP response structure: Internal memory error"); - return NULL; - } + RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); - //responseStatus - status = OCSP_response_status(resp); - const char *status_str = OCSP_response_status_str(status); - ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); + ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); - //responseType - resp_bytes = resp->responseBytes; if (!resp_bytes) - goto clean_up; - len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType)); - if (len > 0) - ocsp_resp_record->Assign(1, new StringVal(len, buf)); - - //get the basic response + return ocsp_resp_record; + + BIO *bio = BIO_new(BIO_s_mem()); + i2a_ASN1_OBJECT(bio, resp_bytes->responseType); + int len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(1, new StringVal(len, buf)); + BIO_reset(bio); + + // get the basic response basic_resp = OCSP_response_get1_basic(resp); - if (!basic_resp) + if ( !basic_resp ) goto clean_up; + resp_data = basic_resp->tbsResponseData; - if (!resp_data) + if ( !resp_data ) goto clean_up; - //version - version = ASN1_INTEGER_get(resp_data->version); - if (version != -1) - ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT)); - - //responderID + ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + // responderID resp_id = resp_data->responderId; - len = -1; - len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id); - if (len > 0) - ocsp_resp_record->Assign(3, new StringVal(len, buf)); + OCSP_RESPID_bio(resp_id, bio); + len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(3, new StringVal(len, buf)); + BIO_reset(bio); - //producedAt - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt)); - if (len > 0) - ocsp_resp_record->Assign(4, new StringVal(len, buf)); + // producedAt + ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); - //responses + all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); + ocsp_resp_record->Assign(5, all_resp_bro); + + // responses resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); - if (resp_count <= 0) - goto clean_up; - for (i=0; iresponses, i); - if (!single_resp) + OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i); + if ( !single_resp ) continue; - if (all_resp_bro == NULL) - all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); - RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp); - //cert id - cert_id = single_resp->certId; - ocsp_fill_cert_id(cert_id, single_resp_bro); + // cert id + OCSP_CERTID *cert_id = single_resp->certId; + RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio); + BIO_reset(bio); - //certStatus - cert_status = single_resp->certStatus; - std::string cert_status_str = OCSP_cert_status_str(cert_status->type); - std::string revoke_reason = ""; - std::string revoke_time = ""; + // certStatus + OCSP_CERTSTATUS *cert_status = single_resp->certStatus; + const char* cert_status_str = OCSP_cert_status_str(cert_status->type); + single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); - //add revocation time and reason if it is revoked - if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED) + // revocation time and reason if revoked + if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED ) { - revoked_info = cert_status->value.revoked; - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime)); - if (len > 0) - revoke_time.assign((const char *)buf, len); + OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked; + single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); - if (revoked_info->revocationReason) - revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); + if ( revoked_info->revocationReason ) + { + const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); + single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason)); + } } - if (revoke_time.length() > 0) - cert_status_str += " " + revoke_time; - if (revoke_reason.length() > 0) - cert_status_str += " " + revoke_reason; - single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str())); + single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); + if ( single_resp->nextUpdate ) + single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); - //thisUpdate - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate)); - if (len > 0) - single_resp_bro->Assign(5, new StringVal(len, buf)); - - //nextUpdate - len = -1; - len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate)); - if (len > 0) - single_resp_bro->Assign(6, new StringVal(len, buf)); - - all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro); + all_resp_bro->Assign(i, single_resp_bro); } - if (all_resp_bro != NULL) - ocsp_resp_record->Assign(5, all_resp_bro); - //signatureAlgorithm - if (basic_resp->signatureAlgorithm) - { - len = -1; - len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm)); - if (len > 0) - ocsp_resp_record->Assign(6, new StringVal(len, buf)); - } - //signature - if (basic_resp->signature) - { - len = -1; - len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature)); - if (len > 0) - ocsp_resp_record->Assign(7, new StringVal(len, buf)); - } + i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); + len = BIO_read(bio, buf, sizeof(buf)); + ocsp_resp_record->Assign(6, new StringVal(len, buf)); + BIO_reset(bio); + + //i2a_ASN1_OBJECT(bio, basic_resp->signature); + //len = BIO_read(bio, buf, sizeof(buf)); + //ocsp_resp_record->Assign(7, new StringVal(len, buf)); + //BIO_reset(bio); + //certs - if (basic_resp->certs) + if ( basic_resp->certs ) { VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); int num_certs = sk_X509_num(basic_resp->certs); - for (i=0; icerts, i)); //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i)); if (this_cert) certs_vector->Assign(i, new file_analysis::X509Val(this_cert)); else reporter->Weird("OpenSSL returned null certificate"); - } - ocsp_resp_record->Assign(8, certs_vector); + } + ocsp_resp_record->Assign(7, certs_vector); } + clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); + BIO_free(bio); return ocsp_resp_record; } -//OCSP_REQVal OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) { ocsp_req = arg_ocsp_req; @@ -589,7 +331,7 @@ OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) { - ocsp_req = NULL; + ocsp_req = nullptr; } OCSP_REQVal::~OCSP_REQVal() @@ -606,7 +348,7 @@ OCSP_REQUEST* OCSP_REQVal::GetReq() const bool OCSP_REQVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); - unsigned char *buf = NULL; + unsigned char *buf = nullptr; int length = i2d_OCSP_REQUEST(ocsp_req, &buf); if ( length < 0 ) return false; @@ -621,11 +363,11 @@ bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) int length; unsigned char *ocsp_req_buf, *opensslbuf; - + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) return false; opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. - ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast(&opensslbuf), length); + ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast(&opensslbuf), length); delete[] ocsp_req_buf; if ( !ocsp_req ) return false; @@ -641,7 +383,7 @@ OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_o OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type) { - ocsp_resp = NULL; + ocsp_resp = nullptr; } OCSP_RESPVal::~OCSP_RESPVal() @@ -658,7 +400,7 @@ OCSP_RESPONSE* OCSP_RESPVal::GetResp() const bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal); - unsigned char *buf = NULL; + unsigned char *buf = nullptr; int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf); if ( length < 0 ) return false; @@ -673,11 +415,11 @@ bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info) int length; unsigned char *ocsp_resp_buf, *opensslbuf; - + if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_resp_buf), &length) ) return false; opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really. - ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast(&opensslbuf), length); + ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast(&opensslbuf), length); delete[] ocsp_resp_buf; if ( !ocsp_resp ) return false; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index ecdba6582d..ab40c13bca 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -24,8 +24,8 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - static RecordVal *ParseResponse(OCSP_RESPVal *); - static RecordVal *ParseRequest(OCSP_REQVal *); + static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0); + static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index da3c6635a8..a98b96f244 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -16,6 +16,8 @@ #include #include +#include "Asn1Time.h" + using namespace file_analysis; IMPLEMENT_SERIAL(X509Val, SER_X509_VAL); @@ -133,8 +135,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* pX509Cert->Assign(3, new StringVal(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME)); - pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME)); + pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME)); + pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME)); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -517,164 +519,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key) reporter->InternalError("cannot be reached"); } -double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid) - { - const char *fid = arg_fid ? arg_fid : ""; - time_t lResult = 0; - - char lBuffer[26]; - char* pBuffer = lBuffer; - - const char *pString = (const char *) atime->data; - unsigned int remaining = atime->length; - - if ( atime->type == V_ASN1_UTCTIME ) - { - if ( remaining < 11 || remaining > 17 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); - return 0; - } - - if ( pString[remaining-1] != 'Z' ) - { - // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); - return 0; - } - - // year is first two digits in YY format. Buffer expects YYYY format. - if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 - { - *(pBuffer++) = '2'; - *(pBuffer++) = '0'; - } - else - { - *(pBuffer++) = '1'; - *(pBuffer++) = '9'; - } - - memcpy(pBuffer, pString, 10); - pBuffer += 10; - pString += 10; - remaining -= 10; - } - else if ( atime->type == V_ASN1_GENERALIZEDTIME ) - { - // generalized time. We apparently ignore the YYYYMMDDHH case - // for now and assume we always have minutes and seconds. - // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 - - if ( remaining < 12 || remaining > 23 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); - return 0; - } - - memcpy(pBuffer, pString, 12); - pBuffer += 12; - pString += 12; - remaining -= 12; - } - else - { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); - return 0; - } - - if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) - { - *(pBuffer++) = '0'; - *(pBuffer++) = '0'; - } - - else if ( remaining >= 2 ) - { - *(pBuffer++) = *(pString++); - *(pBuffer++) = *(pString++); - - remaining -= 2; - - // Skip any fractional seconds... - if ( (remaining > 0) && (*pString == '.') ) - { - pString++; - remaining--; - - while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) - { - pString++; - remaining--; - } - } - } - - else - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); - return 0; - } - - *(pBuffer++) = 'Z'; - *(pBuffer++) = '\0'; - - time_t lSecondsFromUTC; - - if ( remaining == 0 || *pString == 'Z' ) - lSecondsFromUTC = 0; - else - { - if ( remaining < 5 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); - return 0; - } - - if ((*pString != '+') && (*pString != '-')) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); - return 0; - } - - lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; - lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); - - if (*pString == '-') - lSecondsFromUTC = -lSecondsFromUTC; - } - - tm lTime; - lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); - lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; - lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); - - if ( lTime.tm_year > 1900) - lTime.tm_year -= 1900; - - lTime.tm_wday = 0; - lTime.tm_yday = 0; - lTime.tm_isdst = 0; // No DST adjustment requested - - lResult = mktime(&lTime); - - if ( lResult ) - { - if ( lTime.tm_isdst != 0 ) - lResult -= 3600; // mktime may adjust for DST (OS dependent) - - lResult += lSecondsFromUTC; - } - - else - lResult = 0; - - return lResult; -} - X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type) { certificate = arg_certificate; diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c671c68a99..2681038fc3 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -62,7 +62,6 @@ private: std::string cert_data; // Helpers for ParseCertificate. - static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid); static StringVal* KeyCurve(EVP_PKEY *key); static unsigned int KeyLength(EVP_PKEY *key); }; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 692581c871..97a1eba12e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-38-15 +#open 2017-02-09-00-23-43 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CXWv6p3arKYeMETxOg sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 20150711011056Z 1 good 20150711011056Z 20150718011056Z GET -#close 2015-07-15-20-38-15 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET +#close 2017-02-09-00-23-43 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log index 1cb587ca17..366671298b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-25-27 +#open 2017-02-09-00-24-29 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST -#close 2015-07-15-20-25-27 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST +#close 2017-02-09-00-24-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 881f614583..dc1f8f6657 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-24-10 +#open 2017-02-09-00-24-32 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z POST -#close 2015-07-15-20-24-11 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST +#close 2017-02-09-00-24-32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index 4027016f1d..eab0e0579b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-15-20-26-35 +#open 2017-02-09-00-24-34 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CXWv6p3arKYeMETxOg sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z 1 good 20150618220334Z 20150620100334Z - -#close 2015-07-15-20-26-36 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 - +#close 2017-02-09-00-24-34 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index 8876f251e7..f3889662ee 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2015-07-31-20-35-18 +#open 2017-02-09-00-24-36 #fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string -1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CXWv6p3arKYeMETxOg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707162834Z 1 revoked 20150514145849Z superseded 20150707162834Z 20150929011242Z POST -1438374032.650255 192.168.6.109 41813 23.5.251.27 80 CjhGID4nQcgTWjvg4c sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707212334Z 1 revoked 20150127203801Z unspecified 20150707212334Z 20150930071359Z POST -1438374032.759133 192.168.6.109 41814 23.5.251.27 80 CCvvfg3TEfuqmmG4bh sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707030344Z 1 revoked 20150528055348Z (UNKNOWN) 20150707030344Z 20150928205739Z POST -1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CsRx2w45OKnoww6xl4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150708020344Z 1 revoked 20150117113259Z keyCompromise 20150708020344Z 20150928165507Z POST -#close 2015-07-31-20-35-18 +#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string +1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST +1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST +1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST +1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST +#close 2017-02-09-00-24-36 From 9c6cebf32415aed69d407a2bf173cbc9fdeecb3c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 12:28:00 -0800 Subject: [PATCH 052/147] OCSP: a bunch of whitespace fixes --- scripts/base/files/x509/ocsp.bro | 12 ++++++------ scripts/policy/protocols/ssl/ocsp-stapling.bro | 6 +++--- src/file_analysis/analyzer/x509/functions.bif | 8 ++++---- src/file_analysis/analyzer/x509/ocsp_functions.bif | 4 ++-- src/main.cc | 4 ++-- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index f417cd6113..078d7f730f 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -248,7 +248,7 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t update_http_info(http, req_rec_empty); Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); } - } + } event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 { @@ -294,7 +294,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request if ( ! http?$original_uri ) return parsed_req;; local uri_prefix: string = get_uri_prefix(http$original_uri); - http$uri_prefix = uri_prefix; + http$uri_prefix = uri_prefix; local ocsp_req_str: string = http$uri[|uri_prefix|:]; parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) @@ -397,11 +397,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo if ( ! f$http?$ocsp_responses ) f$http$ocsp_responses = table(); - + if ( cert_id !in f$http$ocsp_responses ) f$http$ocsp_responses[cert_id] = Queue::init(); - Queue::put(f$http$ocsp_responses[cert_id], resp_rec); + Queue::put(f$http$ocsp_responses[cert_id], resp_rec); } } else @@ -468,7 +468,7 @@ function start_log_ocsp(http: HTTP::Info) log_unmatched_reqs(http); return; } - + for ( cert_id in http$ocsp_responses ) { while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) @@ -502,7 +502,7 @@ function start_log_ocsp(http: HTTP::Info) if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) log_unmatched_reqs(http); } - + # log OCSP information event HTTP::log_http(rec: HTTP::Info) { diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 30f69e3b9a..58e378ab65 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -19,7 +19,7 @@ export { ## size of this response size: count &log; - + ## responseStatus responseStatus: string &log; @@ -34,14 +34,14 @@ export { ## producedAt producedAt: string &log; - + ## NOTE: the following are specific to one cert id ## the above are for one message which may contain ## several responses ## index idx: count &log &optional; - + ## cert id cert_id: OCSP::CertId &log &optional; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e1bddd72e9..0fe65c7d55 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -548,14 +548,14 @@ x509_verify_chainerror: ## cert: The X509 certificate opaque handle. ## ## hash_alg: the hash algorithm to use -## +## ## Returns: A string of hash of issuer name. -## +## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string - %{ + %{ assert(cert); assert(hash_alg); @@ -583,7 +583,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string return NULL; } - const EVP_MD *dgst; + const EVP_MD *dgst; if (strcmp(h, "sha1") == 0) dgst = EVP_sha1(); else if (strcmp(h, "sha224") == 0) diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif index a5f31f9411..1901b90569 100644 --- a/src/file_analysis/analyzer/x509/ocsp_functions.bif +++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif @@ -11,7 +11,7 @@ ## ## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response - %{ + %{ const unsigned char* start = ocsp_reply->Bytes(); OCSP_RESPONSE *resp = NULL; file_analysis::OCSP_RESPVal* resp_val = NULL; @@ -43,7 +43,7 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response ## ## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response function ocsp_parse_request%(ocsp_req: string%): OCSP::Request - %{ + %{ const unsigned char* start = ocsp_req->Bytes(); OCSP_REQUEST *req = NULL; file_analysis::OCSP_REQVal* req_val = NULL; diff --git a/src/main.cc b/src/main.cc index 3e1a228644..efda617ba4 100644 --- a/src/main.cc +++ b/src/main.cc @@ -841,9 +841,9 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - ocsp_req_opaque_type = new OpaqueType("ocsp_req"); + ocsp_req_opaque_type = new OpaqueType("ocsp_req"); ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); - + // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is From e1bcc4509f9393dc16151a744ac26f6db7407511 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 15:43:37 -0800 Subject: [PATCH 053/147] OCSP: rewrite events and data structures. Instead of having a big event, that tries to parse all the data into a huge datastructure, we do the more common thing and use a series of smaller events to parse requests and responses. The new events are: ocsp_request -> raised for an ocsp request, giving version and requestor ocsp_request_certificate -> raised n times per request, once per cert ocsp_response_status -> raised for each ocsp response, giving status ocsp_response_bytes -> raised for each ocsp response with information ocsp_response_certificate -> raised for each cert in an ocsp response --- scripts/base/files/x509/__load__.bro | 2 +- scripts/base/init-bare.bro | 54 ----- src/SerialTypes.h | 3 +- src/Type.h | 1 - .../analyzer/x509/CMakeLists.txt | 2 +- src/file_analysis/analyzer/x509/OCSP.cc | 189 +++++++----------- src/file_analysis/analyzer/x509/OCSP.h | 18 +- src/file_analysis/analyzer/x509/events.bif | 2 +- .../analyzer/x509/ocsp_events.bif | 21 +- .../analyzer/x509/ocsp_functions.bif | 68 ------- .../analyzer/x509/ocsp_types.bif | 5 - src/main.cc | 2 - 12 files changed, 90 insertions(+), 277 deletions(-) delete mode 100644 src/file_analysis/analyzer/x509/ocsp_functions.bif delete mode 100644 src/file_analysis/analyzer/x509/ocsp_types.bif diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index 15c5754b1f..cff81e7254 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1,2 +1,2 @@ @load ./main -@load ./ocsp +#@load ./ocsp diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d31bf8f0b6..ffee527bb7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3643,60 +3643,6 @@ export { }; } - -module OCSP; -export { - type OneReq: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - }; - - type Request: record { - version: count &log &optional; - requestorName: string &log &optional; - requestList: vector of OneReq; - }; - - type SingleResp: record { - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - certStatus: string &log; - revoketime: time &log &optional; - revokereason: string &log &optional; - thisUpdate: time &log; - nextUpdate: time &log &optional; - }; - - type Response: record { - responseStatus: string &log; - responseType: string &log &optional; - version: count &log &optional; - responderID: string &log &optional; - producedAt: time &log &optional; - responses: vector of SingleResp; - signatureAlgorithm: string &log &optional; - #signature: string &optional; #&log; - certs: vector of opaque of x509 &optional; - }; - - type CertId: record { - hashAlgorithm: string &log &optional; - issuerNameHash: string &log &optional; - issuerKeyHash: string &log &optional; - serialNumber: string &log &optional; - }; - - } - -module GLOBAL; -type ocsp_req_vec: vector of OCSP::OneReq; -type ocsp_resp_vec: vector of OCSP::SingleResp; - - module SOCKS; export { ## This record is for a SOCKS client or server to provide either a diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 6b81227464..8a1a2abf51 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -115,8 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22) SERIAL_VAL(X509_VAL, 23) SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24) SERIAL_VAL(COMM_DATA_VAL, 25) -SERIAL_VAL(OCSP_REQ_VAL, 26) -SERIAL_VAL(OCSP_RESP_VAL, 27) +SERIAL_VAL(OCSP_RESP_VAL, 26) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) diff --git a/src/Type.h b/src/Type.h index f456d1fba2..ab52e10734 100644 --- a/src/Type.h +++ b/src/Type.h @@ -628,7 +628,6 @@ extern OpaqueType* cardinality_type; extern OpaqueType* topk_type; extern OpaqueType* bloomfilter_type; extern OpaqueType* x509_opaque_type; -extern OpaqueType* ocsp_req_opaque_type; extern OpaqueType* ocsp_resp_opaque_type; // Returns the Bro basic (non-parameterized) type with the given type. diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index e95b4ae6e6..409fb3d4ba 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro X509) bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) -bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif) +bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index c7747f54ce..a5a1d268e6 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -6,7 +6,6 @@ #include "Event.h" #include "ocsp_events.bif.h" -#include "ocsp_types.bif.h" #include "file_analysis/Manager.h" @@ -28,7 +27,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) using namespace file_analysis; -IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL); #define OCSP_STRING_BUF_SIZE 2048 @@ -51,32 +49,29 @@ static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio) i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING); } -static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio) +void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) { - RecordVal *d = new RecordVal(type); char buf[OCSP_STRING_BUF_SIZE]; memset(buf, 0, sizeof(buf)); i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm); int len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(0, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(1, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING); len = BIO_read(bio, buf, sizeof(buf)); - d->Assign(2, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); i2a_ASN1_INTEGER(bio, cert_id->serialNumber); - d->Assign(3, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); - - return d; } file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) @@ -123,16 +118,8 @@ bool file_analysis::OCSP::EndOfFile() return false; } - OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership - - RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str()); - - // and send the record on to scriptland - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(req_val); - vl->append(req_record); - mgr.QueueEvent(ocsp_request, vl); + ParseRequest(req, GetFile()->GetID().c_str()); + OCSP_REQUEST_free(req); } else if (ocsp_type == "response") { @@ -144,14 +131,8 @@ bool file_analysis::OCSP::EndOfFile() } OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership - RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str()); - - // and send the record on to scriptland - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(resp_val); - vl->append(resp_record); - mgr.QueueEvent(ocsp_response, vl); + ParseResponse(resp_val, GetFile()->GetID().c_str()); + Unref(resp_val); } else { @@ -162,46 +143,48 @@ bool file_analysis::OCSP::EndOfFile() return true; } -RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid) +void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid) { - OCSP_REQUEST *req = req_val->GetReq(); OCSP_REQINFO *inf = req->tbsRequest; char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); - RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request); - - ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); + // build up our response as we go along... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT)); BIO *bio = BIO_new(BIO_s_mem()); if (inf->requestorName != NULL) { GENERAL_NAME_print(bio, inf->requestorName); int len = BIO_read(bio, buf, sizeof(buf)); - ocsp_req_record->Assign(1, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); } + else + vl->append(new StringVal(0, "")); - VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType()); - ocsp_req_record->Assign(2, all_req_bro); + mgr.QueueEvent(ocsp_request, vl); int req_count = OCSP_request_onereq_count(req); for ( int i=0; iappend(GetFile()->GetVal()->Ref()); + OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i); OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req); - RecordVal* one_req_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::OneReq, bio); - all_req_bro->Assign(i, one_req_bro); + ocsp_add_cert_id(cert_id, rvl, bio); + mgr.QueueEvent(ocsp_request_certificate, rvl); } BIO_free(bio); - - return ocsp_req_record; } -RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) +void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) { OCSP_RESPONSE *resp = resp_val->GetResp(); OCSP_RESPBYTES *resp_bytes = resp->responseBytes; @@ -210,24 +193,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char OCSP_RESPID *resp_id = nullptr; int resp_count = 0; - VectorVal *all_resp_bro = nullptr; + VectorVal *certs_vector = nullptr; + int len = 0; char buf[OCSP_STRING_BUF_SIZE]; memset(buf, 0, sizeof(buf)); - RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response); + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); - ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str)); + StringVal* status_val = new StringVal(strlen(status_str), status_str); + vl->append(status_val->Ref()); + mgr.QueueEvent(ocsp_response_status, vl); + vl = nullptr; if (!resp_bytes) - return ocsp_resp_record; + { + Unref(status_val); + return; + } BIO *bio = BIO_new(BIO_s_mem()); - i2a_ASN1_OBJECT(bio, resp_bytes->responseType); - int len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(1, new StringVal(len, buf)); - BIO_reset(bio); + //i2a_ASN1_OBJECT(bio, resp_bytes->responseType); + //int len = BIO_read(bio, buf, sizeof(buf)); + //BIO_reset(bio); // get the basic response basic_resp = OCSP_response_get1_basic(resp); @@ -238,19 +228,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char if ( !resp_data ) goto clean_up; - ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(resp_val->Ref()); + vl->append(status_val); + vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT)); + // responderID resp_id = resp_data->responderId; OCSP_RESPID_bio(resp_id, bio); len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(3, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); // producedAt - ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); - - all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType()); - ocsp_resp_record->Assign(5, all_resp_bro); + vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME)); // responses resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses); @@ -260,39 +252,51 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char if ( !single_resp ) continue; + val_list* rvl = new val_list(); + rvl->append(GetFile()->GetVal()->Ref()); + // cert id OCSP_CERTID *cert_id = single_resp->certId; - RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio); + ocsp_add_cert_id(cert_id, rvl, bio); BIO_reset(bio); // certStatus OCSP_CERTSTATUS *cert_status = single_resp->certStatus; const char* cert_status_str = OCSP_cert_status_str(cert_status->type); - single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); + rvl->append(new StringVal(strlen(cert_status_str), cert_status_str)); // revocation time and reason if revoked if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED ) { OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked; - single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME)); if ( revoked_info->revocationReason ) { const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason)); - single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason)); + rvl->append(new StringVal(strlen(revoke_reason), revoke_reason)); } + else + rvl->append(new StringVal(0, "")); + } + else + { + rvl->append(new Val(0, TYPE_TIME)); + rvl->append(new StringVal(0, "")); } - single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME)); if ( single_resp->nextUpdate ) - single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME)); + else + rvl->append(new Val(0, TYPE_TIME)); - all_resp_bro->Assign(i, single_resp_bro); + mgr.QueueEvent(ocsp_response_certificate, rvl); } i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); len = BIO_read(bio, buf, sizeof(buf)); - ocsp_resp_record->Assign(6, new StringVal(len, buf)); + vl->append(new StringVal(len, buf)); BIO_reset(bio); //i2a_ASN1_OBJECT(bio, basic_resp->signature); @@ -300,10 +304,10 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char //ocsp_resp_record->Assign(7, new StringVal(len, buf)); //BIO_reset(bio); - //certs + certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + vl->append(certs_vector); if ( basic_resp->certs ) { - VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); int num_certs = sk_X509_num(basic_resp->certs); for ( int i=0; iWeird("OpenSSL returned null certificate"); } - ocsp_resp_record->Assign(7, certs_vector); } + mgr.QueueEvent(ocsp_response_bytes, vl); clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); - return ocsp_resp_record; } -OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type) - { - ocsp_req = arg_ocsp_req; - } - -OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type) - { - ocsp_req = nullptr; - } - -OCSP_REQVal::~OCSP_REQVal() - { - if (ocsp_req) - OCSP_REQUEST_free(ocsp_req); - } - -OCSP_REQUEST* OCSP_REQVal::GetReq() const - { - return ocsp_req; - } - -bool OCSP_REQVal::DoSerialize(SerialInfo* info) const - { - DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal); - unsigned char *buf = nullptr; - int length = i2d_OCSP_REQUEST(ocsp_req, &buf); - if ( length < 0 ) - return false; - bool res = SERIALIZE_STR(reinterpret_cast(buf), length); - OPENSSL_free(buf); - return res; - } - -bool OCSP_REQVal::DoUnserialize(UnserialInfo* info) - { - DO_UNSERIALIZE(OpaqueVal) - - int length; - unsigned char *ocsp_req_buf, *opensslbuf; - - if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_req_buf), &length) ) - return false; - opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really. - ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast(&opensslbuf), length); - delete[] ocsp_req_buf; - if ( !ocsp_req ) - return false; - return true; - } - - -//OCSP_RESPVal OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) { ocsp_resp = arg_ocsp_resp; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index ab40c13bca..2ab9b014fd 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -15,7 +15,6 @@ namespace file_analysis { -class OCSP_REQVal; class OCSP_RESPVal; class OCSP : public file_analysis::Analyzer { @@ -24,8 +23,6 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0); - static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); @@ -33,22 +30,13 @@ protected: OCSP(RecordVal* args, File* file, const string& ocsp_type); private: + void ParseResponse(OCSP_RESPVal *, const char* fid = 0); + void ParseRequest(OCSP_REQUEST *, const char* fid = 0); + std::string ocsp_data; std::string ocsp_type; }; -class OCSP_REQVal: public OpaqueVal { -public: - explicit OCSP_REQVal(OCSP_REQUEST *); - ~OCSP_REQVal(); - OCSP_REQUEST *GetReq() const; -protected: - OCSP_REQVal(); -private: - OCSP_REQUEST *ocsp_req; - DECLARE_SERIAL(OCSP_REQVal); -}; - class OCSP_RESPVal: public OpaqueVal { public: explicit OCSP_RESPVal(OCSP_RESPONSE *); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index fcdeaa31d1..5f435faad8 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -1,4 +1,4 @@ -## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS +## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS ## connection handshake. ## ## See `Wikipedia `__ for more information diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index b956e2c12e..2a1e5805c9 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -1,18 +1,19 @@ -## Generated for encountered OCSP request -## +## Event that is raised when encountering an OCSP request, e.g. in an HTTP +## connection. See :rfc:`6960` for more details. ## ## f: The file. ## -## req_ref: An opaque pointer to the underlying OpenSSL data structure of the -## OCSP request +## req: version: the version of the OCSP request. Typically 0 (Version 1). ## -## req: The parsed OCSP request information. +## requestorName: name of the OCSP requestor. This attribute is optional; if +## it is not set, an empty string is returned here. ## -event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%); +event ocsp_request%(f: fa_file, version: count, requestorName: string%); + +event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); ## Generated for encountered OCSP response ## -## ## f: The file. ## ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the @@ -20,4 +21,8 @@ event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request% ## ## req: The parsed OCSP response information. ## -event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%); +event ocsp_response_status%(f: fa_file, status: string%); + +event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); + +event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif deleted file mode 100644 index 1901b90569..0000000000 --- a/src/file_analysis/analyzer/x509/ocsp_functions.bif +++ /dev/null @@ -1,68 +0,0 @@ -%%{ -#include "file_analysis/analyzer/x509/OCSP.h" -#include "ocsp_types.bif.h" -%%} - -## Parses a OCSP response into an OCSP::Response structure. -## -## ocsp_reply: OCSP data. -## -## Returns: A OCSP::Response structure. -## -## .. bro:see:: ssl_stapled_ocsp ocsp_parse_request -function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response - %{ - const unsigned char* start = ocsp_reply->Bytes(); - OCSP_RESPONSE *resp = NULL; - file_analysis::OCSP_RESPVal* resp_val = NULL; - RecordVal* resp_record = NULL; - resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len()); - if ( ! resp ) - { - reporter->Weird("OPENSSL Could not parse OCSP response"); - return NULL; - } - resp_val = new file_analysis::OCSP_RESPVal(resp); - resp_record = file_analysis::OCSP::ParseResponse(resp_val); - if (!resp_record) - { - reporter->Weird("Internal fail to parse OCSP response"); - Unref(resp_val); - return NULL; - } - Unref(resp_val); - //Unref(resp_record); - return resp_record; - %} - -## Parses a OCSP request into an OCSP::Request structure. -## -## ocsp_req: OCSP data. -## -## Returns: A OCSP::Request structure. -## -## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response -function ocsp_parse_request%(ocsp_req: string%): OCSP::Request - %{ - const unsigned char* start = ocsp_req->Bytes(); - OCSP_REQUEST *req = NULL; - file_analysis::OCSP_REQVal* req_val = NULL; - RecordVal* req_record = NULL; - req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len()); - if ( ! req ) - { - reporter->Weird("OPENSSL Could not parse OCSP request"); - return NULL; - } - req_val = new file_analysis::OCSP_REQVal(req); - req_record = file_analysis::OCSP::ParseRequest(req_val); - if (!req_record) - { - reporter->Weird("Internal fail to parse OCSP request"); - Unref(req_val); - return NULL; - } - Unref(req_val); - //Unref(req_record); - return req_record; - %} diff --git a/src/file_analysis/analyzer/x509/ocsp_types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif deleted file mode 100644 index 8d8cb5dd9b..0000000000 --- a/src/file_analysis/analyzer/x509/ocsp_types.bif +++ /dev/null @@ -1,5 +0,0 @@ -type OCSP::Request: record; -type OCSP::Response: record; -type OCSP::OneReq: record; -type OCSP::SingleResp: record; -type OCSP::CertId: record; diff --git a/src/main.cc b/src/main.cc index efda617ba4..11df1af0c2 100644 --- a/src/main.cc +++ b/src/main.cc @@ -129,7 +129,6 @@ OpaqueType* cardinality_type = 0; OpaqueType* topk_type = 0; OpaqueType* bloomfilter_type = 0; OpaqueType* x509_opaque_type = 0; -OpaqueType* ocsp_req_opaque_type = 0; OpaqueType* ocsp_resp_opaque_type = 0; // Keep copy of command line @@ -841,7 +840,6 @@ int main(int argc, char** argv) topk_type = new OpaqueType("topk"); bloomfilter_type = new OpaqueType("bloomfilter"); x509_opaque_type = new OpaqueType("x509"); - ocsp_req_opaque_type = new OpaqueType("ocsp_req"); ocsp_resp_opaque_type = new OpaqueType("ocsp_resp"); // The leak-checker tends to produce some false From 1b19ab78b63ee212434f932e3d49fa229ef8631c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 9 Feb 2017 16:14:08 -0800 Subject: [PATCH 054/147] OCSP: split into two analysers in scriptland. Instead of having an additional string argument specifying if we are sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and an ANALYZER_OCSP_REPLY --- scripts/base/files/x509/ocsp.bro | 4 ++-- src/file_analysis/analyzer/x509/OCSP.cc | 29 +++++++++-------------- src/file_analysis/analyzer/x509/OCSP.h | 8 +++---- src/file_analysis/analyzer/x509/Plugin.cc | 3 ++- 4 files changed, 19 insertions(+), 25 deletions(-) diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro index 078d7f730f..cb8c340c64 100644 --- a/scripts/base/files/x509/ocsp.bro +++ b/scripts/base/files/x509/ocsp.bro @@ -13,7 +13,7 @@ export { ocsp_type: string &optional; }; - ## ocsp logging + ## ocsp logging redef enum Log::ID += { LOG }; ## type for pending ocsp request @@ -23,7 +23,7 @@ export { ## one ocsp request record type Info_req: record { ## time for the request - ts: time; + ts: time; ## file id for this request or ## hash of the GET url if it's GET request id: string &log &optional; diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index a5a1d268e6..e3ac124260 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -74,21 +74,19 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) BIO_reset(bio); } -file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file) +file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file) { - Val* ocsp_type = get_ocsp_type(args, "ocsp_type"); - - if (! ocsp_type ) - return 0; - - return new OCSP(args, file, ocsp_type->AsString()->CheckString()); + return new OCSP(args, file, true); } -file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type) - : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file) +file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file) + { + return new OCSP(args, file, false); + } + +file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request) + : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) { - ocsp_type = arg_ocsp_type; - ocsp_data.clear(); } bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len) @@ -108,7 +106,7 @@ bool file_analysis::OCSP::EndOfFile() { const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); - if (ocsp_type == "request") + if ( request ) { OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size()); @@ -121,7 +119,7 @@ bool file_analysis::OCSP::EndOfFile() ParseRequest(req, GetFile()->GetID().c_str()); OCSP_REQUEST_free(req); } - else if (ocsp_type == "response") + else { OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size()); if (!resp) @@ -134,11 +132,6 @@ bool file_analysis::OCSP::EndOfFile() ParseResponse(resp_val, GetFile()->GetID().c_str()); Unref(resp_val); } - else - { - reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str())); - return false; - } return true; } diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 2ab9b014fd..4c3ebed525 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -23,18 +23,18 @@ public: virtual bool Undelivered(uint64 offset, uint64 len); virtual bool EndOfFile(); - - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); + static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file); + static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file); protected: - OCSP(RecordVal* args, File* file, const string& ocsp_type); + OCSP(RecordVal* args, File* file, bool request); private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); std::string ocsp_data; - std::string ocsp_type; + bool request = false; // true if ocsp request, false if reply }; class OCSP_RESPVal: public OpaqueVal { diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index 5a0b67136a..31dbe346a8 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -14,7 +14,8 @@ public: plugin::Configuration Configure() { AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); - AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate)); + AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest)); + AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply)); plugin::Configuration config; config.name = "Bro::X509"; From 9fd78165018aeb036787dc788b10daa0f5eb73fc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 12:34:23 -0800 Subject: [PATCH 055/147] Allow File analyzers to direcly pass mime type. This makes it much easier for protocols where the mime type is known in advance like, for example, TLS. We now do no longer have to perform deep script-level magic. --- scripts/base/files/x509/main.bro | 9 ++++++++ scripts/base/init-bare.bro | 3 +++ scripts/base/protocols/krb/files.bro | 6 ----- scripts/base/protocols/rdp/main.bro | 4 ---- scripts/base/protocols/ssl/files.bro | 6 ----- src/analyzer/protocol/krb/krb-padata.pac | 8 +++---- src/analyzer/protocol/rdp/rdp-analyzer.pac | 2 +- .../protocol/ssl/proc-certificate.pac | 5 +++- src/file_analysis/File.cc | 23 +++++++++++++++++++ src/file_analysis/File.h | 20 ++++++++++++++++ src/file_analysis/Manager.cc | 11 +++++++-- src/file_analysis/Manager.h | 18 +++++++++++++-- 12 files changed, 89 insertions(+), 26 deletions(-) diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index bbf99f6a4d..44ea83fc39 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -38,6 +38,15 @@ export { event bro_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); + + Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); + # Always calculate hashes. They are not necessary for base scripts + # but very useful for identification, and required for policy scripts + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); } redef record Files::Info += { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ffee527bb7..f3421fd557 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -446,6 +446,9 @@ type fa_metadata: record { mime_type: string &optional; ## All matching mime types if any were discovered. mime_types: mime_matches &optional; + ## Specifies if the mime type was inferred using signatures, + ## or provided by the protocol the file appeared in. + inferred: bool &default=T; }; ## Fields of a SYN packet. diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro index cd2127c605..947c2db41a 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.bro @@ -101,12 +101,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori } c$krb = info; - - Files::add_analyzer(f, Files::ANALYZER_X509); - # Always calculate hashes. They are not necessary for base scripts - # but very useful for identification, and required for policy scripts - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } function fill_in_subjects(c: connection) diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro index c6d550c3f7..f543fd2cae 100644 --- a/scripts/base/protocols/rdp/main.bro +++ b/scripts/base/protocols/rdp/main.bro @@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori { # Count up X509 certs. ++c$rdp$cert_count; - - Files::add_analyzer(f, Files::ANALYZER_X509); - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } } diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index fad0fa0483..8a1380a270 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -114,12 +114,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info; c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id; } - - Files::add_analyzer(f, Files::ANALYZER_X509); - # Always calculate hashes. They are not necessary for base scripts - # but very useful for identification, and required for policy scripts. - Files::add_analyzer(f, Files::ANALYZER_MD5); - Files::add_analyzer(f, Files::ANALYZER_SHA1); } event ssl_established(c: connection) &priority=6 diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index b178239f4d..4667ab1677 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a string file_id = file_mgr->HashHandle(file_handle.Description()); file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id); + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; @@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a string file_id = file_mgr->HashHandle(file_handle.Description()); file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), false, file_id); + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index 01b47e9478..1ba2c465d8 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -142,7 +142,7 @@ refine flow RDP_Flow += { connection()->bro_analyzer()->GetAnalyzerTag(), connection()->bro_analyzer()->Conn(), false, // It seems there are only server certs? - file_id); + file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); return true; diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index c2353e3a88..ee2247e5be 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -9,6 +9,9 @@ common.AddRaw(is_orig ? "T" : "F", 1); bro_analyzer()->Conn()->IDString(&common); + string user_mime = "application/x-x509-user-cert"; + string ca_mime = "application/x-x509-ca-cert"; + for ( unsigned int i = 0; i < certificates->size(); ++i ) { const bytestring& cert = (*certificates)[i]; @@ -21,7 +24,7 @@ file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), is_orig, file_id); + bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime); file_mgr->EndOfFile(file_id); } return true; diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 46e67f7cd8..2d9017a338 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1; int File::bof_buffer_idx = -1; int File::meta_mime_type_idx = -1; int File::meta_mime_types_idx = -1; +int File::meta_inferred_idx = -1; void File::StaticInit() { @@ -76,6 +77,7 @@ void File::StaticInit() bof_buffer_idx = Idx("bof_buffer", fa_file_type); meta_mime_type_idx = Idx("mime_type", fa_metadata_type); meta_mime_types_idx = Idx("mime_types", fa_metadata_type); + meta_inferred_idx = Idx("inferred", fa_metadata_type); } File::File(const string& file_id, const string& source_name, Connection* conn, @@ -290,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max) reassembly_max_buffer = max; } +bool File::SetMime(const string& mime_type) + { + if ( mime_type.empty() || bof_buffer.size != 0 ) + return false; + + did_metadata_inference = true; + bof_buffer.full = true; + + if ( ! FileEventAvailable(file_sniff) ) + return false; + + val_list* vl = new val_list(); + vl->append(val->Ref()); + RecordVal* meta = new RecordVal(fa_metadata_type); + vl->append(meta); + meta->Assign(meta_mime_type_idx, new StringVal(mime_type)); + meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL)); + FileEvent(file_sniff, vl); + return true; + } + void File::InferMetadata() { did_metadata_inference = true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index c799907a8f..c52d9efbc4 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -171,6 +171,25 @@ public: */ void FileEvent(EventHandlerPtr h, val_list* vl); + + /** + * Sets the MIME type for a file to a specific value. + * + * Setting the MIME type has to be done before the MIME type is + * inferred from the content. After a MIME type has been set once, + * it cannot be changed anymore. + * + * This function should only be called when it does not make sense + * to perform automated MIME type detections. This is e.g. the case + * in protocols where the file type is fixed in the protocol description. + * This is for example the case for TLS and X.509 certificates. + * + * @param mime_type mime type to set + * @return true if the mime type was set. False if it could not be set because + * a mime type was already set or inferred. + */ + bool SetMime(const string& mime_type); + protected: friend class Manager; friend class FileReassembler; @@ -319,6 +338,7 @@ protected: static int bof_buffer_idx; static int mime_type_idx; static int mime_types_idx; + static int meta_inferred_idx; static int meta_mime_type_idx; static int meta_mime_types_idx; diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 217c901969..3140a1e9db 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -110,7 +110,7 @@ void Manager::SetHandle(const string& handle) string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, analyzer::Tag tag, Connection* conn, bool is_orig, - const string& precomputed_id) + const string& precomputed_id, const string& mime_type) { string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id; File* file = GetFile(id, conn, tag, is_orig); @@ -118,6 +118,9 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, if ( ! file ) return ""; + if ( ! mime_type.empty() ) + file->SetMime(mime_type); + file->DataIn(data, len, offset); if ( file->IsComplete() ) @@ -130,7 +133,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, } string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, - Connection* conn, bool is_orig, const string& precomputed_id) + Connection* conn, bool is_orig, const string& precomputed_id, + const string& mime_type) { string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id; // Sequential data input shouldn't be going over multiple conns, so don't @@ -140,6 +144,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, if ( ! file ) return ""; + if ( ! mime_type.empty() ) + file->SetMime(mime_type); + file->DataIn(data, len); if ( file->IsComplete() ) diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index bcc8ac5dd2..d4ab6c8dfc 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -93,6 +93,12 @@ public: * or false if is being sent in the opposite direction. * @param precomputed_file_id may be set to a previous return value in order to * bypass costly file handle lookups. + * @param mime_type may be set to the mime type of the file, if already known due + * to the protocol. This is, e.g., the case in TLS connections where X.509 + * certificates are passed as files; here the type of the file is set by + * the protocol. If this parameter is give, mime type detection will be + * disabled. + * This parameter is only used for the first bit of data for each file. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through @@ -101,7 +107,8 @@ public: */ std::string DataIn(const u_char* data, uint64 len, uint64 offset, analyzer::Tag tag, Connection* conn, bool is_orig, - const std::string& precomputed_file_id = ""); + const std::string& precomputed_file_id = "", + const std::string& mime_type = ""); /** * Pass in sequential file data. @@ -113,6 +120,12 @@ public: * or false if is being sent in the opposite direction. * @param precomputed_file_id may be set to a previous return value in order to * bypass costly file handle lookups. + * @param mime_type may be set to the mime type of the file, if already known due + * to the protocol. This is, e.g., the case in TLS connections where X.509 + * certificates are passed as files; here the type of the file is set by + * the protocol. If this parameter is give, mime type detection will be + * disabled. + * This parameter is only used for the first bit of data for each file. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through @@ -121,7 +134,8 @@ public: */ std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag, Connection* conn, bool is_orig, - const std::string& precomputed_file_id = ""); + const std::string& precomputed_file_id = "", + const std::string& mime_type = ""); /** * Pass in sequential file data from external source (e.g. input framework). From 8b50a1e09b21ae57632091542d668e626a4a1ee8 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 12:47:24 -0800 Subject: [PATCH 056/147] SSL: parse OCSP stapled extension as file --- .../protocol/ssl/tls-handshake-analyzer.pac | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index e16606a0b0..799162a32f 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -211,13 +211,31 @@ refine connection Handshake_Conn += { function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ - if ( status_type == 1 || status_type == 2 ) // ocsp + ODesc common; + common.AddRaw("Analyzer::ANALYZER_SSL"); + common.Add(bro_analyzer()->Conn()->StartTime()); + common.AddRaw("F"); + bro_analyzer()->Conn()->IDString(&common); + + if ( status_type == 1 || status_type == 2 ) // ocsp { + ODesc file_handle; + file_handle.Add(common.Description()); + file_handle.Add("ocsp"); + + string file_id = file_mgr->HashHandle(file_handle.Description()); + + file_mgr->DataIn(reinterpret_cast(response.data()), + response.length(), bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); + BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), (const char*) response.data()), status_type); + + } return true; %} From cdcc21ea4bfc57c8adf53685868d8fea5b0d1613 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 13:31:15 -0800 Subject: [PATCH 057/147] OCSP: generic extension parsing. Raises ocsp_extension event if an extension is present in the reply or in one of the singlereplies. --- src/file_analysis/analyzer/x509/OCSP.cc | 75 ++++++++++++++++++- src/file_analysis/analyzer/x509/OCSP.h | 1 + src/file_analysis/analyzer/x509/X509.cc | 1 + .../analyzer/x509/ocsp_events.bif | 2 + 4 files changed, 78 insertions(+), 1 deletion(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index e3ac124260..704df3a6db 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -3,8 +3,10 @@ #include #include "OCSP.h" +#include "X509.h" #include "Event.h" +#include "types.bif.h" #include "ocsp_events.bif.h" #include "file_analysis/Manager.h" @@ -185,7 +187,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) OCSP_RESPDATA *resp_data = nullptr; OCSP_RESPID *resp_id = nullptr; - int resp_count = 0; + int resp_count, num_ext = 0; VectorVal *certs_vector = nullptr; int len = 0; @@ -285,6 +287,16 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) rvl->append(new Val(0, TYPE_TIME)); mgr.QueueEvent(ocsp_response_certificate, rvl); + + num_ext = OCSP_SINGLERESP_get_ext_count(single_resp); + for ( int k = 0; k < num_ext; ++k ) + { + X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k); + if ( ! ex ) + continue; + + ParseExtension(ex, false); + } } i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); @@ -314,12 +326,73 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) } mgr.QueueEvent(ocsp_response_bytes, vl); + // ok, now that we are done with the actual certificate - let's parse extensions :) + num_ext = OCSP_BASICRESP_get_ext_count(basic_resp); + for ( int k = 0; k < num_ext; ++k ) + { + X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k); + if ( ! ex ) + continue; + + ParseExtension(ex, true); + } + + clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); } +// This is a near copy from X509 +void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global) + { + char name[256]; + char oid[256]; + + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); + + OBJ_obj2txt(name, 255, ext_asn, 0); + OBJ_obj2txt(oid, 255, ext_asn, 1); + + int critical = 0; + if ( X509_EXTENSION_get_critical(ex) != 0 ) + critical = 1; + + BIO *bio = BIO_new(BIO_s_mem()); + if( ! X509V3_EXT_print(bio, ex, 0, 0)) + M_ASN1_OCTET_STRING_print(bio,ex->value); + + StringVal* ext_val = X509::GetExtensionFromBIO(bio); + + if ( ! ext_val ) + ext_val = new StringVal(0, ""); + + RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); + pX509Ext->Assign(0, new StringVal(name)); + + if ( short_name and strlen(short_name) > 0 ) + pX509Ext->Assign(1, new StringVal(short_name)); + + pX509Ext->Assign(2, new StringVal(oid)); + pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); + pX509Ext->Assign(4, ext_val); + + // send off generic extension event + // + // and then look if we have a specialized event for the extension we just + // parsed. And if we have it, we send the specialized event on top of the + // generic event that we just had. I know, that is... kind of not nice, + // but I am not sure if there is a better way to do it... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(pX509Ext); + vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); + + mgr.QueueEvent(ocsp_extension, vl); + } + OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) { ocsp_resp = arg_ocsp_resp; diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 4c3ebed525..f3560ecea4 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -32,6 +32,7 @@ protected: private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); + void ParseExtension(X509_EXTENSION*, bool global); std::string ocsp_data; bool request = false; // true if ocsp request, false if reply diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index a98b96f244..5c6eb2a5ee 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -248,6 +248,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio) return ext_val; } +// this is nearly replicated in the OCSP analyzer void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) { char name[256]; diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 2a1e5805c9..76208c210e 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -26,3 +26,5 @@ event ocsp_response_status%(f: fa_file, status: string%); event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); + +event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); From c550521221561809050cddfa7e8d2a11dcaaae84 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 15:18:52 -0800 Subject: [PATCH 058/147] OCSP: parse signed certificate timestamps With this change, we also parse signed certificate timestamps from OCSP replies. This introduces a common base class between the OCSP and X509 analyzer, which now share a bit of common code. The event for signed certificate timestamps is raised by both and thus renamed do: x509_ocsp_ext_signed_certificate_timestamp --- src/file_analysis/analyzer/x509/Asn1Time.h | 157 --------- .../analyzer/x509/CMakeLists.txt | 2 +- src/file_analysis/analyzer/x509/OCSP.cc | 61 +--- src/file_analysis/analyzer/x509/OCSP.h | 13 +- src/file_analysis/analyzer/x509/X509.cc | 170 ++-------- src/file_analysis/analyzer/x509/X509.h | 27 +- src/file_analysis/analyzer/x509/X509Common.cc | 315 ++++++++++++++++++ src/file_analysis/analyzer/x509/X509Common.h | 44 +++ src/file_analysis/analyzer/x509/events.bif | 2 +- .../analyzer/x509/x509-extension.pac | 2 +- .../x509/signed_certificate_timestamp.test | 2 +- 11 files changed, 404 insertions(+), 391 deletions(-) delete mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h create mode 100644 src/file_analysis/analyzer/x509/X509Common.cc create mode 100644 src/file_analysis/analyzer/x509/X509Common.h diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h deleted file mode 100644 index 31013ec2a7..0000000000 --- a/src/file_analysis/analyzer/x509/Asn1Time.h +++ /dev/null @@ -1,157 +0,0 @@ -static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) - { - const char *fid = arg_fid ? arg_fid : ""; - time_t lResult = 0; - - char lBuffer[26]; - char* pBuffer = lBuffer; - - const char *pString = (const char *) atime->data; - unsigned int remaining = atime->length; - - if ( atime->type == V_ASN1_UTCTIME ) - { - if ( remaining < 11 || remaining > 17 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); - return 0; - } - - if ( pString[remaining-1] != 'Z' ) - { - // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); - return 0; - } - - // year is first two digits in YY format. Buffer expects YYYY format. - if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 - { - *(pBuffer++) = '2'; - *(pBuffer++) = '0'; - } - else - { - *(pBuffer++) = '1'; - *(pBuffer++) = '9'; - } - - memcpy(pBuffer, pString, 10); - pBuffer += 10; - pString += 10; - remaining -= 10; - } - else if ( atime->type == V_ASN1_GENERALIZEDTIME ) - { - // generalized time. We apparently ignore the YYYYMMDDHH case - // for now and assume we always have minutes and seconds. - // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 - - if ( remaining < 12 || remaining > 23 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); - return 0; - } - - memcpy(pBuffer, pString, 12); - pBuffer += 12; - pString += 12; - remaining -= 12; - } - else - { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); - return 0; - } - - if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) - { - *(pBuffer++) = '0'; - *(pBuffer++) = '0'; - } - - else if ( remaining >= 2 ) - { - *(pBuffer++) = *(pString++); - *(pBuffer++) = *(pString++); - - remaining -= 2; - - // Skip any fractional seconds... - if ( (remaining > 0) && (*pString == '.') ) - { - pString++; - remaining--; - - while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) - { - pString++; - remaining--; - } - } - } - - else - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); - return 0; - } - - *(pBuffer++) = 'Z'; - *(pBuffer++) = '\0'; - - time_t lSecondsFromUTC; - - if ( remaining == 0 || *pString == 'Z' ) - lSecondsFromUTC = 0; - else - { - if ( remaining < 5 ) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); - return 0; - } - - if ((*pString != '+') && (*pString != '-')) - { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); - return 0; - } - - lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; - lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); - - if (*pString == '-') - lSecondsFromUTC = -lSecondsFromUTC; - } - - tm lTime; - lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); - lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; - lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); - - if ( lTime.tm_year > 1900) - lTime.tm_year -= 1900; - - lTime.tm_wday = 0; - lTime.tm_yday = 0; - lTime.tm_isdst = 0; // No DST adjustment requested - - lResult = mktime(&lTime); - - if ( lResult ) - { - if ( lTime.tm_isdst != 0 ) - lResult -= 3600; // mktime may adjust for DST (OS dependent) - - lResult += lSecondsFromUTC; - } - - else - lResult = 0; - - return lResult; -} diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index 1eb3732022..a4c5767e56 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro X509) -bro_plugin_cc(X509.cc OCSP.cc Plugin.cc) +bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc) bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif) bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 704df3a6db..1c27720e36 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -17,7 +17,6 @@ #include #include "file_analysis/analyzer/x509/X509.h" -#include "Asn1Time.h" // helper function of sk_X509_value to avoid namespace problem // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) @@ -87,7 +86,7 @@ file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file) } file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request) - : file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) + : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request) { } @@ -295,7 +294,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) if ( ! ex ) continue; - ParseExtension(ex, false); + ParseExtension(ex, ocsp_extension, false); } } @@ -334,63 +333,23 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) if ( ! ex ) continue; - ParseExtension(ex, true); + ParseExtension(ex, ocsp_extension, true); } - clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); BIO_free(bio); } -// This is a near copy from X509 -void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global) +void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { - char name[256]; - char oid[256]; - - ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); - const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); - - OBJ_obj2txt(name, 255, ext_asn, 0); - OBJ_obj2txt(oid, 255, ext_asn, 1); - - int critical = 0; - if ( X509_EXTENSION_get_critical(ex) != 0 ) - critical = 1; - - BIO *bio = BIO_new(BIO_s_mem()); - if( ! X509V3_EXT_print(bio, ex, 0, 0)) - M_ASN1_OCTET_STRING_print(bio,ex->value); - - StringVal* ext_val = X509::GetExtensionFromBIO(bio); - - if ( ! ext_val ) - ext_val = new StringVal(0, ""); - - RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); - pX509Ext->Assign(0, new StringVal(name)); - - if ( short_name and strlen(short_name) > 0 ) - pX509Ext->Assign(1, new StringVal(short_name)); - - pX509Ext->Assign(2, new StringVal(oid)); - pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); - pX509Ext->Assign(4, ext_val); - - // send off generic extension event - // - // and then look if we have a specialized event for the extension we just - // parsed. And if we have it, we send the specialized event on top of the - // generic event that we just had. I know, that is... kind of not nice, - // but I am not sure if there is a better way to do it... - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(pX509Ext); - vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); - - mgr.QueueEvent(ocsp_extension, vl); +#ifdef NID_ct_cert_scts + if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif + ParseSignedCertificateTimestamps(ex); } OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index f3560ecea4..d1d15dd14f 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -8,20 +8,19 @@ #include "Val.h" #include "../File.h" #include "Analyzer.h" +#include "X509Common.h" #include -#include -#include namespace file_analysis { class OCSP_RESPVal; -class OCSP : public file_analysis::Analyzer { +class OCSP : public file_analysis::X509Common { public: - virtual bool DeliverStream(const u_char* data, uint64 len); - virtual bool Undelivered(uint64 offset, uint64 len); - virtual bool EndOfFile(); + bool DeliverStream(const u_char* data, uint64 len) override; + bool Undelivered(uint64 offset, uint64 len) override; + bool EndOfFile() override; static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file); static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file); @@ -32,7 +31,7 @@ protected: private: void ParseResponse(OCSP_RESPVal *, const char* fid = 0); void ParseRequest(OCSP_REQUEST *, const char* fid = 0); - void ParseExtension(X509_EXTENSION*, bool global); + void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string ocsp_data; bool request = false; // true if ocsp request, false if reply diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 4a2a9cc5c2..f9ec91c9d1 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -4,7 +4,6 @@ #include "X509.h" #include "Event.h" -#include "x509-extension_pac.h" #include "events.bif.h" #include "types.bif.h" @@ -17,14 +16,12 @@ #include #include -#include "Asn1Time.h" - using namespace file_analysis; IMPLEMENT_SERIAL(X509Val, SER_X509_VAL); file_analysis::X509::X509(RecordVal* args, file_analysis::File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file) + : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file) { cert_data.clear(); } @@ -75,7 +72,7 @@ bool file_analysis::X509::EndOfFile() if ( ! ex ) continue; - ParseExtension(ex); + ParseExtension(ex, x509_extension, false); } // X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted @@ -208,152 +205,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* return pX509Cert; } -StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio) - { - BIO_flush(bio); - ERR_clear_error(); - int length = BIO_pending(bio); - - if ( ERR_peek_error() != 0 ) - { - char tmp[120]; - ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); - reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); - BIO_free_all(bio); - return 0; - } - - if ( length == 0 ) - { - BIO_free_all(bio); - return new StringVal(""); - } - - char* buffer = (char*) malloc(length); - - if ( ! buffer ) - { - // Just emit an error here and try to continue instead of aborting - // because it's unclear the length value is very reliable. - reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); - BIO_free_all(bio); - return 0; - } - - BIO_read(bio, (void*) buffer, length); - StringVal* ext_val = new StringVal(length, buffer); - - free(buffer); - BIO_free_all(bio); - - return ext_val; - } - -// this is nearly replicated in the OCSP analyzer -void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) - { - char name[256]; - char oid[256]; - - ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); - const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); - - OBJ_obj2txt(name, 255, ext_asn, 0); - OBJ_obj2txt(oid, 255, ext_asn, 1); - - int critical = 0; - if ( X509_EXTENSION_get_critical(ex) != 0 ) - critical = 1; - - BIO *bio = BIO_new(BIO_s_mem()); - if( ! X509V3_EXT_print(bio, ex, 0, 0)) - M_ASN1_OCTET_STRING_print(bio,ex->value); - - StringVal* ext_val = GetExtensionFromBIO(bio); - - if ( ! ext_val ) - ext_val = new StringVal(0, ""); - - RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); - pX509Ext->Assign(0, new StringVal(name)); - - if ( short_name and strlen(short_name) > 0 ) - pX509Ext->Assign(1, new StringVal(short_name)); - - pX509Ext->Assign(2, new StringVal(oid)); - pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); - pX509Ext->Assign(4, ext_val); - - // send off generic extension event - // - // and then look if we have a specialized event for the extension we just - // parsed. And if we have it, we send the specialized event on top of the - // generic event that we just had. I know, that is... kind of not nice, - // but I am not sure if there is a better way to do it... - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(pX509Ext); - - mgr.QueueEvent(x509_extension, vl); - - // look if we have a specialized handler for this event... - if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) - ParseBasicConstraints(ex); - - else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) - ParseSAN(ex); - -#ifdef NID_ct_cert_scts - else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) -#else - else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) -#endif - ParseSignedCertificateTimestamps(ex); - } - -void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) - { - // Ok, signed certificate timestamps are a bit of an odd case out; we don't - // want to use the (basically nonexistant) OpenSSL functionality to parse them. - // Instead we have our own, self-written binpac parser to parse just them, - // which we will initialize here and tear down immediately again. - - ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); - // the octet string of the extension contains the octet string which in turn - // contains the SCT. Obviously. - - unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); - unsigned char* ext_val_second_pointer = ext_val_copy; - memcpy(ext_val_copy, ext_val->data, ext_val->length); - - ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); - if ( !inner ) - { - reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); - return; - } - - binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); - binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); - - try - { - interp->NewData(inner->data, inner->data + inner->length); - } - catch( const binpac::Exception& e ) - { - // throw a warning or sth - reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); - } - - OPENSSL_free(ext_val_second_pointer); - - interp->FlowEOF(); - - delete interp; - delete conn; - } - void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints); @@ -380,6 +231,23 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str())); } +void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) + { + // look if we have a specialized handler for this event... + if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) + ParseBasicConstraints(ex); + + else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) + ParseSAN(ex); + +#ifdef NID_ct_cert_scts + else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) +#else + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) +#endif + ParseSignedCertificateTimestamps(ex); + } + void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 9bbc0827cd..325e8becac 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -6,21 +6,18 @@ #include #include "Val.h" -#include "../File.h" -#include "Analyzer.h" +#include "X509Common.h" -#include -#include namespace file_analysis { class X509Val; -class X509 : public file_analysis::Analyzer { +class X509 : public file_analysis::X509Common { public: - virtual bool DeliverStream(const u_char* data, uint64 len); - virtual bool Undelivered(uint64 offset, uint64 len); - virtual bool EndOfFile(); + bool DeliverStream(const u_char* data, uint64 len) override; + bool Undelivered(uint64 offset, uint64 len) override; + bool EndOfFile() override; /** * Converts an X509 certificate into a \c X509::Certificate record @@ -40,25 +37,13 @@ public: static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return new X509(args, file); } - /** - * Retrieve an X509 extension value from an OpenSSL BIO to which it was - * written. - * - * @param bio the OpenSSL BIO to read. It will be freed by the function, - * including when an error occurs. - * - * @return The X509 extension value. - */ - static StringVal* GetExtensionFromBIO(BIO* bio); - protected: X509(RecordVal* args, File* file); private: - void ParseExtension(X509_EXTENSION* ex); void ParseBasicConstraints(X509_EXTENSION* ex); void ParseSAN(X509_EXTENSION* ex); - void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); + void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string cert_data; diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc new file mode 100644 index 0000000000..367b7e562a --- /dev/null +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -0,0 +1,315 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "X509Common.h" +#include "x509-extension_pac.h" + +#include "events.bif.h" +#include "ocsp_events.bif.h" +#include "types.bif.h" + +#include +#include +#include +#include +#include + +using namespace file_analysis; + +X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file) + : file_analysis::Analyzer(arg_tag, arg_args, arg_file) + { + } + +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) + { + const char *fid = arg_fid ? arg_fid : ""; + time_t lResult = 0; + + char lBuffer[26]; + char* pBuffer = lBuffer; + + const char *pString = (const char *) atime->data; + unsigned int remaining = atime->length; + + if ( atime->type == V_ASN1_UTCTIME ) + { + if ( remaining < 11 || remaining > 17 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + return 0; + } + + if ( pString[remaining-1] != 'Z' ) + { + // not valid according to RFC 2459 4.1.2.5.1 + reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + return 0; + } + + // year is first two digits in YY format. Buffer expects YYYY format. + if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 + { + *(pBuffer++) = '2'; + *(pBuffer++) = '0'; + } + else + { + *(pBuffer++) = '1'; + *(pBuffer++) = '9'; + } + + memcpy(pBuffer, pString, 10); + pBuffer += 10; + pString += 10; + remaining -= 10; + } + else if ( atime->type == V_ASN1_GENERALIZEDTIME ) + { + // generalized time. We apparently ignore the YYYYMMDDHH case + // for now and assume we always have minutes and seconds. + // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2 + + if ( remaining < 12 || remaining > 23 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + return 0; + } + + memcpy(pBuffer, pString, 12); + pBuffer += 12; + pString += 12; + remaining -= 12; + } + else + { + reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + return 0; + } + + if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) + { + *(pBuffer++) = '0'; + *(pBuffer++) = '0'; + } + + else if ( remaining >= 2 ) + { + *(pBuffer++) = *(pString++); + *(pBuffer++) = *(pString++); + + remaining -= 2; + + // Skip any fractional seconds... + if ( (remaining > 0) && (*pString == '.') ) + { + pString++; + remaining--; + + while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') ) + { + pString++; + remaining--; + } + } + } + + else + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + return 0; + } + + *(pBuffer++) = 'Z'; + *(pBuffer++) = '\0'; + + time_t lSecondsFromUTC; + + if ( remaining == 0 || *pString == 'Z' ) + lSecondsFromUTC = 0; + else + { + if ( remaining < 5 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + return 0; + } + + if ((*pString != '+') && (*pString != '-')) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + return 0; + } + + lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60; + lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0'); + + if (*pString == '-') + lSecondsFromUTC = -lSecondsFromUTC; + } + + tm lTime; + lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); + lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; + lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0'); + + if ( lTime.tm_year > 1900) + lTime.tm_year -= 1900; + + lTime.tm_wday = 0; + lTime.tm_yday = 0; + lTime.tm_isdst = 0; // No DST adjustment requested + + lResult = mktime(&lTime); + + if ( lResult ) + { + if ( lTime.tm_isdst != 0 ) + lResult -= 3600; // mktime may adjust for DST (OS dependent) + + lResult += lSecondsFromUTC; + } + + else + lResult = 0; + + return lResult; +} + +void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) + { + // Ok, signed certificate timestamps are a bit of an odd case out; we don't + // want to use the (basically nonexistant) OpenSSL functionality to parse them. + // Instead we have our own, self-written binpac parser to parse just them, + // which we will initialize here and tear down immediately again. + + ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); + // the octet string of the extension contains the octet string which in turn + // contains the SCT. Obviously. + + unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); + unsigned char* ext_val_second_pointer = ext_val_copy; + memcpy(ext_val_copy, ext_val->data, ext_val->length); + + ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); + if ( !inner ) + { + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + return; + } + + binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); + binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); + + try + { + interp->NewData(inner->data, inner->data + inner->length); + } + catch( const binpac::Exception& e ) + { + // throw a warning or sth + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + } + + OPENSSL_free(ext_val_second_pointer); + + interp->FlowEOF(); + + delete interp; + delete conn; + } + +void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global) + { + char name[256]; + char oid[256]; + + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn)); + + OBJ_obj2txt(name, 255, ext_asn, 0); + OBJ_obj2txt(oid, 255, ext_asn, 1); + + int critical = 0; + if ( X509_EXTENSION_get_critical(ex) != 0 ) + critical = 1; + + BIO *bio = BIO_new(BIO_s_mem()); + if( ! X509V3_EXT_print(bio, ex, 0, 0)) + M_ASN1_OCTET_STRING_print(bio,ex->value); + + StringVal* ext_val = GetExtensionFromBIO(bio); + + if ( ! ext_val ) + ext_val = new StringVal(0, ""); + + RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension); + pX509Ext->Assign(0, new StringVal(name)); + + if ( short_name and strlen(short_name) > 0 ) + pX509Ext->Assign(1, new StringVal(short_name)); + + pX509Ext->Assign(2, new StringVal(oid)); + pX509Ext->Assign(3, new Val(critical, TYPE_BOOL)); + pX509Ext->Assign(4, ext_val); + + // send off generic extension event + // + // and then look if we have a specialized event for the extension we just + // parsed. And if we have it, we send the specialized event on top of the + // generic event that we just had. I know, that is... kind of not nice, + // but I am not sure if there is a better way to do it... + val_list* vl = new val_list(); + vl->append(GetFile()->GetVal()->Ref()); + vl->append(pX509Ext); + if ( h == ocsp_extension ) + vl->append(new Val(global ? 1 : 0, TYPE_BOOL)); + + mgr.QueueEvent(h, vl); + + // let individual analyzers parse more. + ParseExtensionsSpecific(ex, global, ext_asn, oid); + } + +StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) + { + BIO_flush(bio); + ERR_clear_error(); + int length = BIO_pending(bio); + + if ( ERR_peek_error() != 0 ) + { + char tmp[120]; + ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); + reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); + BIO_free_all(bio); + return 0; + } + + if ( length == 0 ) + { + BIO_free_all(bio); + return new StringVal(""); + } + + char* buffer = (char*) malloc(length); + + if ( ! buffer ) + { + // Just emit an error here and try to continue instead of aborting + // because it's unclear the length value is very reliable. + reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length); + BIO_free_all(bio); + return 0; + } + + BIO_read(bio, (void*) buffer, length); + StringVal* ext_val = new StringVal(length, buffer); + + free(buffer); + BIO_free_all(bio); + + return ext_val; + } diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h new file mode 100644 index 0000000000..1e1a9b94ee --- /dev/null +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -0,0 +1,44 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +// Common base class for the X509 and OCSP analyzer, which share a fair amount of +// code + +#ifndef FILE_ANALYSIS_X509_COMMON +#define FILE_ANALYSIS_X509_COMMON + +#include "../File.h" +#include "Analyzer.h" + +#include +#include + +namespace file_analysis { + +class X509Common : public file_analysis::Analyzer { +public: + virtual ~X509Common() {}; + + /** + * Retrieve an X509 extension value from an OpenSSL BIO to which it was + * written. + * + * @param bio the OpenSSL BIO to read. It will be freed by the function, + * including when an error occurs. + * + * @return The X509 extension value. + */ + static StringVal* GetExtensionFromBIO(BIO* bio); + + static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter); + +protected: + X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file); + + void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global); + void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); + virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0; +}; + +} + +#endif /* FILE_ANALYSIS_X509_COMMON */ diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 6e4df4393f..f8084fa864 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -73,4 +73,4 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); +event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index 56ca27d909..e77a82307a 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -35,7 +35,7 @@ refine connection MockConnection += { function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ - BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), + BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), bro_analyzer()->GetFile()->GetVal()->Ref(), version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 63be26448f..5203bda7ee 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) { print version, timestamp, hash_algorithm, signature_algorithm; } From c431d14eed69ebec424f95927e83779bad795a83 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Feb 2017 16:01:13 -0800 Subject: [PATCH 059/147] OCSP: re-enable logging, fix tests, fix x509 issue Re-enable logging, now in policy because it probably is interesting to no-one. We also only log ocsp replies. Fix all tests. Fix an issue where ocsp replies were added to the x.509 certificate list. --- scripts/base/files/x509/main.bro | 6 +- scripts/base/files/x509/ocsp.bro | 515 ------------------ scripts/base/protocols/ssl/files.bro | 18 +- scripts/policy/files/x509/log-ocsp.bro | 54 ++ .../.stdout | 3 + .../ocsp.log | 10 +- .../.stdout | 2 + .../ocsp.log | 10 - .../.stdout | 5 + .../ocsp.log | 10 +- .../.stdout | 1 - .../.stdout | 3 + .../ocsp.log | 10 +- .../.stdout | 20 + .../ocsp.log | 16 +- .../base/protocols/ssl/ocsp-http-get.test | 39 ++ .../base/protocols/ssl/ocsp-request-only.test | 40 +- .../protocols/ssl/ocsp-request-response.test | 39 ++ .../protocols/ssl/ocsp-response-cert.test | 15 - .../protocols/ssl/ocsp-response-only.test | 39 ++ .../base/protocols/ssl/ocsp-revoked.test | 39 ++ 21 files changed, 323 insertions(+), 571 deletions(-) delete mode 100644 scripts/base/files/x509/ocsp.bro create mode 100644 scripts/policy/files/x509/log-ocsp.bro create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout delete mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index 44ea83fc39..a7d3ca7a04 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -41,12 +41,15 @@ event bro_init() &priority=5 Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert"); # Always calculate hashes. They are not necessary for base scripts # but very useful for identification, and required for policy scripts Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); + Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert"); } redef record Files::Info += { @@ -57,9 +60,6 @@ redef record Files::Info += { event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 { - if ( ! f$info?$mime_type ) - f$info$mime_type = "application/pkix-cert"; - f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref]; } diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro deleted file mode 100644 index cb8c340c64..0000000000 --- a/scripts/base/files/x509/ocsp.bro +++ /dev/null @@ -1,515 +0,0 @@ -@load base/protocols/http -@load base/frameworks/files -@load base/utils/paths -@load base/utils/queue - -# Note - this needs some cleaning up and is currently not loaded by default. - -module OCSP; - -export { - ## add one more argument to tell ocsp response or request - redef record Files::AnalyzerArgs += { - ocsp_type: string &optional; - }; - - ## ocsp logging - redef enum Log::ID += { LOG }; - - ## type for pending ocsp request - type PendingQueue: table[OCSP::CertId] of Queue::Queue; - - ## NOTE: one file could contain several requests - ## one ocsp request record - type Info_req: record { - ## time for the request - ts: time; - ## file id for this request or - ## hash of the GET url if it's GET request - id: string &log &optional; - ## connection id - cid: conn_id &optional; - ## connection uid - cuid: string &optional; - ## version - version: count &log &optional; - ## requestor name - requestorName: string &log &optional; - - ## NOTE: the above are for one file which may contain - ## several ocsp requests - - ## one OCSP request may contain several OCSP requests - ## with different cert id; this is the index of the - ## OCSP request with cert_id in the big OCSP request - index: count &log &optional; - ## request cert id - certId: OCSP::CertId &optional; - ## HTTP method - method: string &optional; - }; - - ## NOTE: one file could contain several response - ## one ocsp response record - type Info_resp: record { - ## time for the response - ts: time; - ## file id for this response - id: string &log; - ## connection id - cid: conn_id &optional; - ## connection uid - cuid: string &optional; - ## responseStatus (different from cert status?) - responseStatus: string &log &optional; - ## responseType - responseType: string &log &optional; - ## version - version: count &log &optional; - ## responderID - responderID: string &log &optional; - ## producedAt - producedAt: time &log &optional; - ## certificates - certs: vector of opaque of x509 &optional; - - ## NOTE: the following are specific to one cert id - ## the above are for one file which may contain - ## several responses - - ## one OCSP response may contain several OCSP responses - ## with different cert id; this is the index of the - ## OCSP response with cert_id in the big OCSP response - index: count &log &optional; - ##cert id - certId: OCSP::CertId &optional; - ## certStatus (this is the response to look at) - certStatus: string &log &optional; - ## thisUpdate - thisUpdate: time &log &optional; - ## nextUpdate - nextUpdate: time &log &optional; - }; - - type Info: record { - ## timestamp for request if a corresponding request is present - ## OR timestamp for response if a corresponding request is not found - ts: time &log; - - ## connection id - cid: conn_id &log; - - ## connection uid - cuid: string &log; - - ## cert id - certId: OCSP::CertId &log &optional; - - ## request - req: Info_req &log &optional; - - ## response timestamp - resp_ts: time &log &optional; - - ## response - resp: Info_resp &log &optional; - - ## HTTP method - method: string &log &optional; - - ## HTTP record - http: HTTP::Info &optional; - }; - - ## Event for accessing logged OCSP records. - global log_ocsp: event(rec: Info); - - global get_uri_prefix: function(s: string): string; -} - -redef record HTTP::Info += { - # there should be one request and response but use Queue here - # just in case - ocsp_requests: PendingQueue &optional; - ocsp_responses: PendingQueue &optional; - - current_content_type: string &optional &default=""; - original_uri: string &optional; - - # flag for checking get uri - checked_get: bool &optional &default=F; - - # uri prefix: this the GET url without ocsp request - uri_prefix: string &optional; - }; - -event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) - { - c$http$original_uri = original_URI; - } - -event http_content_type(c: connection, is_orig: bool, ty: string, subty: string) - { - c$http$current_content_type = to_lower(ty + "/" + subty); - } - -function check_ocsp_file(f: fa_file, meta: fa_metadata) - { - if ( f$source != "HTTP" || ! f?$http ) - return; - - # call OCSP file analyzer - if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request") - { - Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]); - } - else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response") - { - Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]); - } - } - -event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5 - { - if (f$source == "HTTP") - check_ocsp_file(f, meta); - } - -function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req) - { - if ( http?$method ) - req_rec$method = http$method; - } - -function update_request_info(rec: Info_req, req: OCSP::Request) - { - if ( req?$version ) - rec$version = req$version; - - if ( req?$requestorName ) - rec$requestorName = req$requestorName; - } - -function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId - { - local cert_id: OCSP::CertId = []; - if ( one_req?$hashAlgorithm ) - cert_id$hashAlgorithm = one_req$hashAlgorithm; - - if ( one_req?$issuerNameHash ) - cert_id$issuerNameHash = one_req$issuerNameHash; - - if ( one_req?$issuerKeyHash ) - cert_id$issuerKeyHash = one_req$issuerKeyHash; - - if ( one_req?$serialNumber ) - cert_id$serialNumber = one_req$serialNumber; - - return cert_id; - } - -function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time) - { - local index: count = 0; - if ( req?$requestList && |req$requestList| > 0 ) - { - index += 1; - for (x in req$requestList) - { - local one_req = req$requestList[x]; - local cert_id: OCSP::CertId = cert_id_from_request(one_req); - local req_rec: OCSP::Info_req = [$ts = req_ts, - $certId = cert_id, - $cid = http$id, - $cuid = http$uid, - $index = index, - $id = req_id]; - update_request_info(req_rec, req); - - if ( ! http?$ocsp_requests ) - http$ocsp_requests = table(); - - if ( cert_id !in http$ocsp_requests ) - http$ocsp_requests[cert_id] = Queue::init(); - - update_http_info(http, req_rec); - Queue::put(http$ocsp_requests[cert_id], req_rec); - } - } - else if ( req?$version ) - { - # it's ocsp request but has no request content - # this is weird but log it anyway - local req_rec_empty: OCSP::Info_req = [$ts = req_ts, - $cid = http$id, - $cuid = http$uid, - $id = req_id]; - update_request_info(req_rec_empty, req); - update_http_info(http, req_rec_empty); - Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]); - } - } - -event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5 - { - if ( ! f?$http ) - return; - enq_request(f$http, req, f$id, network_time()); - } - -function get_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return "/" + get_first_slash(s[1:s_len]); - else - return ""; - } - -function remove_first_slash(s: string): string - { - local s_len = |s|; - if (s[0] == "/") - return remove_first_slash(s[1:s_len]); - else - return s; - } - -function get_uri_prefix(s: string): string - { - local uri_prefix = get_first_slash(s); - local w = split_string(s[|uri_prefix|:], /\//); - local i = 0; - while ( i < (|w| - 1) ) - { - uri_prefix += w[i] + "/"; - i += 1; - } - return uri_prefix; - } - -function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request - { - local parsed_req: OCSP::Request; - if ( ! http?$original_uri ) - return parsed_req;; - local uri_prefix: string = get_uri_prefix(http$original_uri); - http$uri_prefix = uri_prefix; - local ocsp_req_str: string = http$uri[|uri_prefix|:]; - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 ) - { - # normal parse fails, bug url, naively try each part - local w = split_string(http$original_uri, /\//); - local s = ""; - for ( i in w ) - { - s += w[i] + "/"; - ocsp_req_str = http$uri[|s|:]; - parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str)); - if ( parsed_req?$requestList && |parsed_req$requestList| > 0 ) - { - http$uri_prefix = s; - break; - } - } - } - return parsed_req; - } - -function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp) - { - if ( single_resp?$certStatus ) - rec$certStatus = single_resp$certStatus; - - if ( single_resp?$thisUpdate ) - rec$thisUpdate = single_resp$thisUpdate; - - if ( single_resp?$nextUpdate ) - rec$nextUpdate = single_resp$nextUpdate; - } - -function update_response_info(rec: Info_resp, resp: OCSP::Response) - { - if ( resp?$responseStatus ) - rec$responseStatus = resp$responseStatus; - - if ( resp?$responseType ) - rec$responseType = resp$responseType; - - if ( resp?$version ) - rec$version = resp$version; - - if ( resp?$responderID ) - rec$responderID = resp$responderID; - - if ( resp?$producedAt ) - rec$producedAt = resp$producedAt; - - if ( resp?$certs ) - rec$certs = resp$certs; - } - -function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp) - { - update_response_info(rec, resp); - update_response_info_single(rec, single_resp); - } - -function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId - { - local cert_id: OCSP::CertId = []; - if ( single_resp?$hashAlgorithm ) - cert_id$hashAlgorithm = single_resp$hashAlgorithm; - - if ( single_resp?$issuerNameHash ) - cert_id$issuerNameHash = single_resp$issuerNameHash; - - if ( single_resp?$issuerKeyHash ) - cert_id$issuerKeyHash = single_resp$issuerKeyHash; - - if ( single_resp?$serialNumber ) - cert_id$serialNumber = single_resp$serialNumber; - - return cert_id; - } - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5 - { - if ( ! f?$http ) - return; - - if ( resp?$responses && |resp$responses| > 0 ) - { - local index: count = 0; - for (x in resp$responses) - { - index += 1; - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = cert_id_from_response(single_resp); - local resp_rec: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid, - $index = index, - $certId = cert_id]; - update_response_info_with_single(resp_rec, resp, single_resp); - - if ( ! f$http?$ocsp_responses ) - f$http$ocsp_responses = table(); - - if ( cert_id !in f$http$ocsp_responses ) - f$http$ocsp_responses[cert_id] = Queue::init(); - - Queue::put(f$http$ocsp_responses[cert_id], resp_rec); - } - } - else - { - # no response content? this is weird but log it anyway - local resp_rec_empty: Info_resp = [$ts = network_time(), - $id = f$id, - $cid = f$http$id, - $cuid = f$http$uid]; - update_response_info(resp_rec_empty, resp); - local info_rec: Info = [$ts = resp_rec_empty$ts, - $resp_ts = resp_rec_empty$ts, - $resp = resp_rec_empty, - $cid = f$http$id, - $cuid = f$http$uid, - $http = f$http]; - if ( f$http?$method ) - info_rec$method = f$http$method; - Log::write(LOG, info_rec); - } - - # check if there is a OCSP GET request - if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get ) - { - f$http$checked_get = T; - local req_get: OCSP::Request = check_ocsp_request_uri(f$http); - enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts); - } - } - -function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info) - { - local reqs: vector of Info_req; - Queue::get_vector(q, reqs); - for ( i in reqs ) - { - local info_rec: Info = [$ts = reqs[i]$ts, - $certId = reqs[i]$certId, - $req = reqs[i], - $cid = reqs[i]$cid, - $cuid = reqs[i]$cuid, - $http = http]; - if ( reqs[i]?$method ) - info_rec$method = reqs[i]$method; - Log::write(LOG, info_rec); - } - } - -function log_unmatched_reqs(http: HTTP::Info) - { - local reqs: PendingQueue = http$ocsp_requests; - for ( cert_id in reqs ) - log_unmatched_reqs_queue(reqs[cert_id], http); - clear_table(reqs); - } - -function start_log_ocsp(http: HTTP::Info) - { - if ( ! http?$ocsp_requests && ! http?$ocsp_responses ) - return; - - if ( ! http?$ocsp_responses ) - { - log_unmatched_reqs(http); - return; - } - - for ( cert_id in http$ocsp_responses ) - { - while ( Queue::len(http$ocsp_responses[cert_id]) != 0 ) - { - # have unmatched responses - local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]); - local info_rec: Info = [$ts = resp_rec$ts, - $certId = resp_rec$certId, - $resp_ts = resp_rec$ts, - $resp = resp_rec, - $cid = http$id, - $cuid = http$uid, - $http = http]; - - if ( http?$ocsp_requests && cert_id in http$ocsp_requests ) - { - # find a match - local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]); - info_rec$req = req_rec; - info_rec$ts = req_rec$ts; - if (Queue::len(http$ocsp_requests[cert_id]) == 0) - delete http$ocsp_requests[cert_id]; - } - if ( http?$method ) - info_rec$method = http$method; - Log::write(LOG, info_rec); - } - if ( Queue::len(http$ocsp_responses[cert_id]) == 0 ) - delete http$ocsp_responses[cert_id]; - } - if ( http?$ocsp_requests && |http$ocsp_requests| != 0 ) - log_unmatched_reqs(http); - } - -# log OCSP information -event HTTP::log_http(rec: HTTP::Info) - { - start_log_ocsp(rec); - } - -event bro_init() &priority=5 - { - Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); - } diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index 8a1380a270..b440927381 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -91,11 +91,23 @@ event bro_init() &priority=5 $describe = SSL::describe_file]); } -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 +event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 { - if ( ! c?$ssl ) + if ( |f$conns| != 1 ) return; + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" + || f$info$mime_type == "application/pkix-cert" ) ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + if ( ! c$ssl?$cert_chain ) { c$ssl$cert_chain = vector(); @@ -104,7 +116,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$ssl$client_cert_chain_fuids = string_vec(); } - if ( is_orig ) + if ( f$is_orig ) { c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info; c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id; diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro new file mode 100644 index 0000000000..f9e72dd832 --- /dev/null +++ b/scripts/policy/files/x509/log-ocsp.bro @@ -0,0 +1,54 @@ +##! Enable basic OCSP logging. + +# This is in policy because probably just about no one is interested +# in logging OCSP responses. + +module OCSP; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Current timestamp. + ts: time &log; + + ## File id of the ocsp reply. + id: string &log; + + hashAlgorithm: string &log; + issuerNameHash: string &log; + issuerKeyHash: string &log; + serialNumber: string &log; + certStatus: string &log; + revoketime: time &log &optional; + revokereason: string &log &optional; + thisUpdate: time &log; + nextUpdate: time &log &optional; + }; + + global log_ocsp: event(rec: Info); +} + +event bro_init() + { + Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash, + $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus, + $thisUpdate=thisUpdate); + + if ( revokereason != "" ) + wr$revokereason = revokereason; + + if ( time_to_double(revoketime) != 0 ) + wr$revoketime = revoketime; + + if ( time_to_double(nextUpdate) != 0 ) + wr$nextUpdate = nextUpdate; + + Log::write(LOG, wr); + } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout new file mode 100644 index 0000000000..4678baf15d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout @@ -0,0 +1,3 @@ +ocsp_response_status, successful +ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0 +ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index 97a1eba12e..bdb8384676 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-23-43 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET -#close 2017-02-09-00-23-43 +#open 2017-02-10-23-35-49 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000 +#close 2017-02-10-23-35-50 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout new file mode 100644 index 0000000000..ca94887c05 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout @@ -0,0 +1,2 @@ +request, 0, +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log deleted file mode 100644 index 366671298b..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ocsp -#open 2017-02-09-00-24-29 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST -#close 2017-02-09-00-24-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout new file mode 100644 index 0000000000..3996bbd84f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout @@ -0,0 +1,5 @@ +request, 0, +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +ocsp_response_status, successful +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index dc1f8f6657..3707e84c48 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-32 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST -#close 2017-02-09-00-24-32 +#open 2017-02-11-00-00-41 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 +#close 2017-02-11-00-00-41 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout deleted file mode 100644 index b6a95f4f0c..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout +++ /dev/null @@ -1 +0,0 @@ -[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout new file mode 100644 index 0000000000..230e80b4cd --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout @@ -0,0 +1,3 @@ +ocsp_response_status, successful +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index eab0e0579b..e897453b5c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-34 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 - -#close 2017-02-09-00-24-34 +#open 2017-02-11-00-00-52 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 +#close 2017-02-11-00-00-52 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout new file mode 100644 index 0000000000..545f761acc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout @@ -0,0 +1,20 @@ +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption +request, 0, +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +ocsp_response_status, successful +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 +ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index f3889662ee..58b226320d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-09-00-24-36 -#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method -#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string -1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST -1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST -1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST -1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST -#close 2017-02-09-00-24-36 +#open 2017-02-11-00-00-56 +#fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate +#types time string string string string string string time string time time +1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 +1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 +1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 +1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 +#close 2017-02-11-00-00-56 diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index 10ccc80c63..ff48772b6a 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 69e1023479..0176716553 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -1,4 +1,42 @@ # This tests a OCSP request missing response # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT -# @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index f9173292dc..3adfab9aa2 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test deleted file mode 100644 index 5ed2bf3253..0000000000 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test +++ /dev/null @@ -1,15 +0,0 @@ -# This tests OCSP response containing a certificate - -# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT -# @TEST-EXEC: btest-diff .stdout - -event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) -{ -if (resp?$certs) - { - for (x in resp$certs) - { - print x509_parse(resp$certs[x]); - } - } -} \ No newline at end of file diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index 539a7bf1d6..f99a71802c 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index 1125484cdf..ae39640f3f 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -2,3 +2,42 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT # @TEST-EXEC: btest-diff ocsp.log +# @TEST-EXEC: btest-diff .stdout + +@load files/x509/log-ocsp + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) + { + print "extension: ", ext, global_resp; + } + +event ocsp_request(f: fa_file, version: count, requestorName: string) + { + print "request", version, requestorName; + } + +event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) + { + print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber; + } + +event ocsp_response_status(f: fa_file, status: string) + { + print "ocsp_response_status", status; + } + +event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) + { + print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; + } + +event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time) + { + print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate; + } From 976677dba259ca02268141766329bccc4f99a5db Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 14 Feb 2017 12:19:08 -0800 Subject: [PATCH 060/147] Add missing end of file call for stapled ocsp responses. --- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index d2ccd796cb..6882e48cbb 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -235,7 +235,7 @@ refine connection Handshake_Conn += { (const char*) response.data()), status_type); - + file_mgr->EndOfFile(file_id); } return true; %} From 5604f46dd3c249af2a3d1e61cd8b3c29de606ad0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 15 Feb 2017 17:38:56 -0800 Subject: [PATCH 061/147] OCSP SCT: use correct oid for old openssls --- src/file_analysis/analyzer/x509/OCSP.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 1c27720e36..7a6a3c9a12 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -347,7 +347,7 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa #ifdef NID_ct_cert_scts if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else - if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 ) #endif ParseSignedCertificateTimestamps(ex); } From 2b3dcc273af53b5f917a97680dc1e464458f3499 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 12:29:50 -0700 Subject: [PATCH 062/147] KRB: Fix small recently introduced files bug. is_orig was set incorrectly for responses. --- src/analyzer/protocol/krb/krb-padata.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index 4667ab1677..271958fcb4 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -100,7 +100,7 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); + bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert"); file_mgr->EndOfFile(file_id); break; From dcf49078573e3070a07cc83e842fac90637f9651 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 13:50:32 -0700 Subject: [PATCH 063/147] Add CT log information to Bro This commit add the table SSL::ct_logs to Bro. This table is populated with information about the currently active certificate transparency logs (data from Google). The data can, e.g., be used to identify which Logs are being used in SCTs. --- scripts/base/protocols/ssl/__load__.bro | 1 + scripts/base/protocols/ssl/ct-list.bro | 34 +++++++++++++++++++ scripts/base/protocols/ssl/main.bro | 13 +++++++ .../.stdout | 8 ++--- .../.stdout | 6 ++-- .../x509/signed_certificate_timestamp.test | 2 +- .../ssl/signed_certificate_timestamp.test | 2 +- 7 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 scripts/base/protocols/ssl/ct-list.bro diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro index 42287fb039..b8e4d52523 100644 --- a/scripts/base/protocols/ssl/__load__.bro +++ b/scripts/base/protocols/ssl/__load__.bro @@ -1,6 +1,7 @@ @load ./consts @load ./main @load ./mozilla-ca-list +@load ./ct-list @load ./files @load-sigs ./dpd.sig diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro new file mode 100644 index 0000000000..600b644df2 --- /dev/null +++ b/scripts/base/protocols/ssl/ct-list.bro @@ -0,0 +1,34 @@ +# +# Do not edit this file. This file is automatically generated by gen-ct-list.pl +# File generated at Thu Mar 16 13:41:00 2017 +# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1 +# + +@load base/protocols/ssl +module SSL; +redef ct_logs += { +["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), +["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), +["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), +["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), +["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), +["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), +["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), +["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), +["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), +["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), +["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), +["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), +["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), +["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), +["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), +["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), +["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), +["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), +["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), +["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), +["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), +["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), +["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), +["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +}; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 858fa343bb..dbe5f2bccd 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -74,6 +74,19 @@ export { ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; + type CTInfo: record { + description: string; + operator: string; + key: string; + maximum_merge_delay: count; + url: string; + }; + + ## The Certificate Transparency log bundle. By default, the ct-list.bro + ## script sets this to the current list of known logs. Entries + ## are indexex by (binary) log-id. + const ct_logs: table[string] of CTInfo = {} &redef; + ## If true, detach the SSL analyzer from the connection to prevent ## continuing to process encrypted traffic. Helps with performance ## (especially with large file transfers). diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout index 4b81b287a6..a27331e535 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -1,4 +1,4 @@ -0, 1474927230.876, 4, 3 -0, 1474927232.863, 4, 3 -0, 1474927232.112, 4, 3 -0, 1474927232.304, 4, 3 +0, Symantec log, 1474927230.876, 4, 3 +0, Google 'Rocketeer' log, 1474927232.863, 4, 3 +0, Google 'Aviator' log, 1474927232.112, 4, 3 +0, Google 'Pilot' log, 1474927232.304, 4, 3 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout index abed68df42..bc56f161ab 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -1,3 +1,3 @@ -0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] -0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] -0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] +0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 5203bda7ee..5b4c02dd01 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -3,5 +3,5 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) { - print version, timestamp, hash_algorithm, signature_algorithm; + print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index 80a041c316..bcc0a87637 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -3,5 +3,5 @@ event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { - print version, timestamp, signature_and_hashalgorithm; + print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm; } From d50bddfbfbf196dc88ba097aa1c0095ff9c5c2eb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Mar 2017 18:18:39 -0700 Subject: [PATCH 064/147] SCT: pass timestamp as uint64 instead of time For verification, we need the exact uint64 as it was seen on the wire; converting it to a double might mean that we loose precision. --- src/analyzer/protocol/ssl/events.bif | 5 +++-- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +- src/file_analysis/analyzer/x509/events.bif | 5 +++-- src/file_analysis/analyzer/x509/x509-extension.pac | 2 +- .../base/files/x509/signed_certificate_timestamp.test | 4 ++-- .../base/protocols/ssl/signed_certificate_timestamp.test | 4 ++-- 6 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 5f0e0c4557..721fcd249c 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -238,13 +238,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## logid: 32 bit key id ## -## timestamp: the current NTP Time +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); +event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 6882e48cbb..d7ccef45b6 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -259,7 +259,7 @@ refine connection Handshake_Conn += { bro_analyzer()->Conn(), ${rec.is_orig}, version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, ha, new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) ); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index f8084fa864..206555e9dd 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -67,10 +67,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## ## logid: 32 bit key id ## -## timestamp: the timestamp of the sct +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); +event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index e77a82307a..937706fd3b 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -39,7 +39,7 @@ refine connection MockConnection += { bro_analyzer()->GetFile()->GetVal()->Ref(), version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, digitally_signed_algorithms->HashAlgorithm(), digitally_signed_algorithms->SignatureAlgorithm(), new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 5b4c02dd01..c0fe06d4d3 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index bcc0a87637..d0eaacd096 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; } From c403a7f4e69be16c71d74b307cf17064edbbaf37 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 11:40:49 -0700 Subject: [PATCH 065/147] SCT: add validation of proofs for extensions and OCSP. This does not yet work for certificates, because this requires some changing the ASN.1 structure before validation (we need to extract the tbscert and remove the SCT extension before). API will change in the future. --- src/analyzer/protocol/ssl/functions.bif | 1 + src/file_analysis/analyzer/x509/functions.bif | 95 +++++++++++++++++++ .../.stdout | 6 ++ .../.stdout | 6 ++ .../signed_certificate_timestamp_ocsp.test | 31 ++++++ .../ssl/signed_certificate_timestamp.test | 32 +++++++ 6 files changed, 171 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif index f7fa76ca36..17720bcbb1 100644 --- a/src/analyzer/protocol/ssl/functions.bif +++ b/src/analyzer/protocol/ssl/functions.bif @@ -1,6 +1,7 @@ %%{ #include "analyzer/protocol/ssl/SSL.h" +#include %%} ## Sets if the SSL analyzer should consider the connection established (handshake diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 0fe65c7d55..161a009515 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -1,6 +1,7 @@ %%{ #include "file_analysis/analyzer/x509/X509.h" #include "types.bif.h" +#include "net_util.h" #include #include @@ -543,6 +544,100 @@ x509_verify_chainerror: return rrecord; %} +function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool + %{ + assert(cert); + file_analysis::X509Val* h = (file_analysis::X509Val*) cert; + X509* x = ((file_analysis::X509Val*) h)->GetCertificate(); + + assert(sizeof(timestamp) >= 8); + uint64_t timestamp_network = htonll(timestamp); + + std::string data; + data.push_back(0); // version + data.push_back(0); // signature_type -> certificate_timestamp + data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits + data.append("\0\0", 2); // entry-type: x509_entry + + unsigned char *cert_out = nullptr; + uint32 cert_length = i2d_X509(x, &cert_out); + assert( cert_out ); + uint32 cert_length_network = htonl(cert_length); + assert( sizeof(cert_length_network) == 4); + + data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length + data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate + OPENSSL_free(cert_out); + data.append("\0\0", 2); // no extensions + + // key is given as a DER-encoded SubjectPublicKeyInfo. + const unsigned char *key_char = log_key->Bytes(); + EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len()); + + EVP_MD_CTX *mdctx = EVP_MD_CTX_create(); + assert(mdctx); + + string errstr; + int success = 0; + + const EVP_MD* hash; + // numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 + switch ( hash_algorithm ) + { + case 1: + hash = EVP_md5(); + break; + case 2: + hash = EVP_sha1(); + break; + case 3: + hash = EVP_sha224(); + break; + case 4: + hash = EVP_sha256(); + break; + case 5: + hash = EVP_sha384(); + break; + case 6: + hash = EVP_sha512(); + break; + default: + errstr = "Unknown hash algorithm"; + goto sct_verify_err; + } + + if ( ! key ) + { + errstr = "Could not load log key"; + goto sct_verify_err; + } + + if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) ) + { + errstr = "Could not init signature verification"; + goto sct_verify_err; + } + + if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) ) + { + errstr = "Could not update digest for verification"; + goto sct_verify_err; + } + + success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len()); + EVP_MD_CTX_destroy(mdctx); + + return new Val(success, TYPE_BOOL); + +sct_verify_err: + if (mdctx) + EVP_MD_CTX_destroy(mdctx); + cerr << errstr << endl; + reporter->Error("%s", errstr.c_str()); + return new Val(0, TYPE_BOOL); + %} + ## Get the hash of issuer name of a certificate ## ## cert: The X509 certificate opaque handle. diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout new file mode 100644 index 0000000000..5384f4e6b7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout @@ -0,0 +1,6 @@ +0, Google 'Pilot' log, 1406997753.366, 4, 3 +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F +0, Google 'Aviator' log, 1407002457.456, 4, 3 +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout index bc56f161ab..342228a1cf 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout @@ -1,3 +1,9 @@ 0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3] 0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3] 0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3] +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F +Verify of, Google 'Rocketeer' log, T +Bad verify of, Google 'Rocketeer' log, F diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test new file mode 100644 index 0000000000..01ed128541 --- /dev/null +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test @@ -0,0 +1,31 @@ +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) + { + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + + print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm); + print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm); + } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index d0eaacd096..0b9c5fc157 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,7 +1,39 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT # @TEST-EXEC: btest-diff .stdout +export { + type LogInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + }; +} + +redef record SSL::Info += { + ct_proofs: vector of LogInfo &default=vector(); +}; + event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature); + } + +event ssl_established(c: connection) + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + + for ( i in c$ssl$ct_proofs ) + { + local log = c$ssl$ct_proofs[i]; + + print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg); + print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg); + } } From 41a2028dee5b6a885e645386d1c71f49000e8611 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 13:53:50 -0700 Subject: [PATCH 066/147] SCT: only compare correct OID/NID for Cert/OCSP. The old way of doing it did not really cause problems - but now only the OID that can be used in practice is checked. --- src/file_analysis/analyzer/x509/OCSP.cc | 2 +- src/file_analysis/analyzer/x509/X509.cc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 7a6a3c9a12..6ce51f9dd3 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -345,7 +345,7 @@ clean_up: void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { #ifdef NID_ct_cert_scts - if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts ) #else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 ) #endif diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index f9ec91c9d1..b26bd4a1da 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -241,9 +241,9 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa ParseSAN(ex); #ifdef NID_ct_cert_scts - else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else - else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 ) + else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) #endif ParseSignedCertificateTimestamps(ex); } From 115a676d0838ed1e70b97b5943fcda652bdbdf57 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 17 Mar 2017 15:53:47 -0700 Subject: [PATCH 067/147] SCT: Allow verification of SCTs in Certs. This is much more complex than the TLS Extension/OCSP cases. We need to first alter the certificate and remove the extension from it, before extracting the tbscert. Furthermore, we need the key hash of the issuing certificate to be able to validate the proof - which means that we need a valid certificate chain. Missing: documentation, nice integration so that we can just add a script and use this in Bro. --- .../policy/protocols/ssl/validate-certs.bro | 39 ++- src/file_analysis/analyzer/x509/functions.bif | 286 +++++++++++------- .../.stdout | 8 + .../x509/signed_certificate_timestamp.test | 55 ++++ 4 files changed, 277 insertions(+), 111 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 97072e4cab..5ab2017cc6 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -19,12 +19,17 @@ export { redef record Info += { ## Result of certificate validation for this connection. validation_status: string &log &optional; + ## Result of certificate validation for this connection, given + ## as OpenSSL validation code. + validation_code: count &optional; + ## Ordered chain of validated certificate, if validation succeeded. + valid_chain: vector of opaque of x509 &optional; }; - ## MD5 hash values for recently validated chains along with the + ## Result values for recently validated chains along with the ## validation status are kept in this table to avoid constant ## validation every time the same certificate chain is seen. - global recently_validated_certs: table[string] of string = table() + global recently_validated_certs: table[string] of X509::Result = table() &read_expire=5mins &redef; ## Use intermediate CA certificate caching when trying to validate @@ -39,6 +44,11 @@ export { ## that you encounter. Only disable if you want to find misconfigured servers. global ssl_cache_intermediate_ca: bool = T &redef; + ## Store the valid chain in c$ssl$valid_chain if validation succeeds. + ## This has a potentially high memory impact, depending on the local environment + ## and is thus disabled by default. + global ssl_store_valid_chain: bool = F &redef; + ## Event from a worker to the manager that it has encountered a new ## valid intermediate. global intermediate_add: event(key: string, value: vector of opaque of x509); @@ -83,7 +93,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509) } @endif -function cache_validate(chain: vector of opaque of x509): string +function cache_validate(chain: vector of opaque of x509): X509::Result { local chain_hash: vector of string = vector(); @@ -97,7 +107,10 @@ function cache_validate(chain: vector of opaque of x509): string return recently_validated_certs[chain_id]; local result = x509_verify(chain, root_certs); - recently_validated_certs[chain_id] = result$result_string; + if ( ! ssl_store_valid_chain && result?$chain_certs ) + recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string); + else + recently_validated_certs[chain_id] = result; # if we have a working chain where we did not store the intermediate certs # in our cache yet - do so @@ -120,7 +133,7 @@ function cache_validate(chain: vector of opaque of x509): string } } - return result$result_string; + return result; } event ssl_established(c: connection) &priority=3 @@ -133,7 +146,7 @@ event ssl_established(c: connection) &priority=3 local intermediate_chain: vector of opaque of x509 = vector(); local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; local hash = c$ssl$cert_chain[0]$sha1; - local result: string; + local result: X509::Result; # Look if we already have a working chain for the issuer of this cert. # If yes, try this chain first instead of using the chain supplied from @@ -145,9 +158,12 @@ event ssl_established(c: connection) &priority=3 intermediate_chain[i+1] = intermediate_cache[issuer][i]; result = cache_validate(intermediate_chain); - if ( result == "ok" ) + if ( result$result_string == "ok" ) { - c$ssl$validation_status = result; + c$ssl$validation_status = result$result_string; + c$ssl$validation_code = result$result; + if ( result?$chain_certs ) + c$ssl$valid_chain = result$chain_certs; return; } } @@ -163,9 +179,12 @@ event ssl_established(c: connection) &priority=3 } result = cache_validate(chain); - c$ssl$validation_status = result; + c$ssl$validation_status = result$result_string; + c$ssl$validation_code = result$result; + if ( result?$chain_certs ) + c$ssl$valid_chain = result$chain_certs; - if ( result != "ok" ) + if ( result$result_string != "ok" ) { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 161a009515..83e73e5d46 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -140,6 +140,33 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid) return 0; } +const EVP_MD* hash_to_evp(int hash) + { + switch ( hash ) + { + case 1: + return EVP_md5(); + break; + case 2: + return EVP_sha1(); + break; + case 3: + return EVP_sha224(); + break; + case 4: + return EVP_sha256(); + break; + case 5: + return EVP_sha384(); + break; + case 6: + return EVP_sha512(); + break; + default: + return nullptr; + } + } + %%} ## Parses a certificate into an X509::Certificate structure. @@ -544,7 +571,7 @@ x509_verify_chainerror: return rrecord; %} -function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool +function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool %{ assert(cert); file_analysis::X509Val* h = (file_analysis::X509Val*) cert; @@ -553,21 +580,73 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa assert(sizeof(timestamp) >= 8); uint64_t timestamp_network = htonll(timestamp); + bool precert = issuer_key_hash->Len() > 0; + if ( precert && issuer_key_hash->Len() != 32) + { + reporter->Error("Invalid issuer_key_hash length"); + return new Val(0, TYPE_BOOL); + } + std::string data; data.push_back(0); // version data.push_back(0); // signature_type -> certificate_timestamp - data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits - data.append("\0\0", 2); // entry-type: x509_entry + data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits + if ( precert ) + data.append("\0\1", 2); // entry-type: precert_entry + else + data.append("\0\0", 2); // entry-type: x509_entry + + if ( precert ) + { + x = X509_dup(x); + assert(x); + #ifdef NID_ct_precert_scts + int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); + if ( pos < 0 ) + { + reporter->Error("NID_ct_precert_scts not found"); + return new Val(0, TYPE_BOOL); + } + #else + int num_ext = X509_get_ext_count(x); + int pos = -1; + for ( int k = 0; k < num_ext; ++k ) + { + char oid[256]; + X509_EXTENSION* ex = X509_get_ext(x, k); + ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex); + OBJ_obj2txt(oid, 255, ext_asn, 1); + if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) + { + pos = k; + break; + } + } + #endif + X509_EXTENSION_free(X509_delete_ext(x, pos)); + assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 ); + } unsigned char *cert_out = nullptr; - uint32 cert_length = i2d_X509(x, &cert_out); + uint32 cert_length; + if ( precert ) + { + // we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2 + x->cert_info->enc.modified = 1; + cert_length = i2d_X509_CINF(x->cert_info, &cert_out); + data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len()); + } + else + cert_length = i2d_X509(x, &cert_out); assert( cert_out ); uint32 cert_length_network = htonl(cert_length); assert( sizeof(cert_length_network) == 4); - data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length - data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate + data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length + data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate OPENSSL_free(cert_out); + if ( precert ) + X509_free(x); data.append("\0\0", 2); // no extensions // key is given as a DER-encoded SubjectPublicKeyInfo. @@ -580,31 +659,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa string errstr; int success = 0; - const EVP_MD* hash; - // numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 - switch ( hash_algorithm ) + const EVP_MD* hash = hash_to_evp(hash_algorithm); + if ( ! hash ) { - case 1: - hash = EVP_md5(); - break; - case 2: - hash = EVP_sha1(); - break; - case 3: - hash = EVP_sha224(); - break; - case 4: - hash = EVP_sha256(); - break; - case 5: - hash = EVP_sha384(); - break; - case 6: - hash = EVP_sha512(); - break; - default: - errstr = "Unknown hash algorithm"; - goto sct_verify_err; + errstr = "Unknown hash algorithm"; + goto sct_verify_err; } if ( ! key ) @@ -638,6 +697,93 @@ sct_verify_err: return new Val(0, TYPE_BOOL); %} + +%%{ +/** + * 0 -> subject name + * 1 -> issuer name + * 2 -> pubkey + */ +StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type) + { + assert(cert_handle); + + if ( type > 2 ) + { + reporter->InternalError("Unknown type in x509_entity_hash"); + return nullptr; + } + + X509 *cert_x509 = cert_handle->GetCertificate(); + if ( cert_x509 == nullptr ) + { + builtin_error("cannot get cert from opaque"); + return nullptr; + } + + X509_NAME *subject_name = X509_get_subject_name(cert_x509); + X509_NAME *issuer_name = X509_get_issuer_name(cert_x509); + if ( subject_name == nullptr || issuer_name == nullptr ) + { + builtin_error("fail to get subject/issuer name from certificate"); + return nullptr; + } + + const EVP_MD *dgst = hash_to_evp(hash_alg); + if ( dgst == nullptr ) + { + builtin_error("Unknown hash algorithm."); + return nullptr; + } + + unsigned char md[EVP_MAX_MD_SIZE]; + memset(md, 0, sizeof(md)); + unsigned int len = 0; + + int res = 0; + + ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509); + if ( key == 0 ) + { + printf("No key in X509_get0_pubkey_bitstr\n"); + } + + if ( type == 0 ) + res = X509_NAME_digest(subject_name, dgst, md, &len); + else if ( type == 1 ) + res = X509_NAME_digest(issuer_name, dgst, md, &len); + else if ( type == 2 ) + { + unsigned char *spki = nullptr; + int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki); + if ( ! pklen ) + { + builtin_error("Could not get SPKI"); + return nullptr; + } + res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr); + OPENSSL_free(spki); + } + + if ( ! res ) + { + builtin_error("Could not perform hash"); + return nullptr; + } + + assert( len <= sizeof(md) ); + + return new StringVal(len, reinterpret_cast(md)); + } +%%} + +function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string + %{ + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + + return x509_entity_hash(cert_handle, hash_alg, 0); + %} + ## Get the hash of issuer name of a certificate ## ## cert: The X509 certificate opaque handle. @@ -649,78 +795,16 @@ sct_verify_err: ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify -function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string +function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ - assert(cert); - assert(hash_alg); - file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; - X509 *cert_x509 = cert_handle->GetCertificate(); - if (cert_x509 == NULL) - { - builtin_error("cannot get cert from opaque"); - return NULL; - } - X509_NAME *issuer_name = NULL; - StringVal *issuer_name_str = NULL; - issuer_name = X509_get_issuer_name(cert_x509); - if (issuer_name == NULL) - { - builtin_error("fail to get issuer name from certificate"); - return NULL; - } - - const char* h = hash_alg->CheckString(); - if (h == NULL) - { - builtin_error("fail to get hash algorithm from input"); - return NULL; - } - - const EVP_MD *dgst; - if (strcmp(h, "sha1") == 0) - dgst = EVP_sha1(); - else if (strcmp(h, "sha224") == 0) - dgst = EVP_sha224(); - else if (strcmp(h, "sha256") == 0) - dgst = EVP_sha256(); - else if (strcmp(h, "sha384") == 0) - dgst = EVP_sha384(); - else if (strcmp(h, "sha512") == 0) - dgst = EVP_sha512(); - else - { - reporter->Error("Unknown digest!"); - return NULL; - } - if (dgst == NULL) - { - builtin_error("fail to allocate digest"); - return NULL; - } - - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int len = 0; - ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING); - int new_len = -1; - BIO *bio = BIO_new(BIO_s_mem()); - char buf[1024]; - memset(buf, 0, sizeof(buf)); - - if (!X509_NAME_digest(issuer_name, dgst, md, &len)) - goto err; - if (!ASN1_OCTET_STRING_set(oct_str, md, len)) - goto err; - if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0) - goto err; - new_len = BIO_read(bio, buf, sizeof(buf)); - if (new_len > 0) - issuer_name_str = new StringVal(new_len, buf); - - //NOTE: the result string may contain "\\x0a" for sha384 and sha512 - // probably need to remove it from here? -err: - BIO_free_all(bio); - return issuer_name_str; + return x509_entity_hash(cert_handle, hash_alg, 1); + %} + +function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string + %{ + file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + + return x509_entity_hash(cert_handle, hash_alg, 2); %} diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout index a27331e535..e11616d745 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -2,3 +2,11 @@ 0, Google 'Rocketeer' log, 1474927232.863, 4, 3 0, Google 'Aviator' log, 1474927232.112, 4, 3 0, Google 'Pilot' log, 1474927232.304, 4, 3 +Verify of, Symantec log, T +Bad verify of, Symantec log, F +Verify of, Google 'Rocketeer' log, T +Bad verify of, Google 'Rocketeer' log, F +Verify of, Google 'Aviator' log, T +Bad verify of, Google 'Aviator' log, F +Verify of, Google 'Pilot' log, T +Bad verify of, Google 'Pilot' log, F diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index c0fe06d4d3..8bb920ee71 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,62 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout +@load protocols/ssl/validate-certs + +redef SSL::ssl_store_valid_chain = T; + +export { + type LogInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + }; +} + +redef record SSL::Info += { + ct_proofs: vector of LogInfo &default=vector(); +}; + event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) { print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature); + } + +event ssl_established(c: connection) + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + if ( |c$ssl$valid_chain| < 2 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); + + for ( i in c$ssl$ct_proofs ) + { + local log = c$ssl$ct_proofs[i]; + + print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash); + print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash); + } } From 22b1eda472a3dc2c6584dc7734cbf6beb48b83b5 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 21 Mar 2017 18:55:43 -0700 Subject: [PATCH 068/147] SCT: Add signed certificate timestamp validation script. This also rewrites the certificate validation script (which we need for this) slightly. This could need a bit of caching, but should generally work very reliably. --- .../policy/protocols/ssl/validate-certs.bro | 27 ++- scripts/policy/protocols/ssl/validate-sct.bro | 173 ++++++++++++++++++ .../.stdout | 17 ++ .../ssl-all.log | 20 ++ .../tls/signed_certificate_timestamp-2.pcap | Bin 0 -> 7982 bytes .../policy/protocols/ssl/validate-sct.bro | 21 +++ 6 files changed, 249 insertions(+), 9 deletions(-) create mode 100644 scripts/policy/protocols/ssl/validate-sct.bro create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-sct.bro diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 5ab2017cc6..4c100ac413 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -120,8 +120,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result |result$chain_certs| > 2 ) { local result_chain = result$chain_certs; - local icert = x509_parse(result_chain[1]); - if ( icert$subject !in intermediate_cache ) + local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256 + if ( isnh !in intermediate_cache ) { local cachechain: vector of opaque of x509; for ( i in result_chain ) @@ -129,33 +129,42 @@ function cache_validate(chain: vector of opaque of x509): X509::Result if ( i >=1 && i<=|result_chain|-2 ) cachechain[i-1] = result_chain[i]; } - add_to_cache(icert$subject, cachechain); + add_to_cache(isnh, cachechain); } } return result; } -event ssl_established(c: connection) &priority=3 +# The server issues CCS only after sending the certificates. This should +# be more robust than using SSL_established, on the off chance that we don't +# get that event. +# +# This is not TLSv1.3 compatible - but we will not have certificates in +# that case in any way, so it even saves us a few cycles. +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3 { + if ( is_orig ) + return; + # If there aren't any certs we can't very well do certificate validation. if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) return; local intermediate_chain: vector of opaque of x509 = vector(); - local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; + local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256 local hash = c$ssl$cert_chain[0]$sha1; local result: X509::Result; # Look if we already have a working chain for the issuer of this cert. # If yes, try this chain first instead of using the chain supplied from # the server. - if ( ssl_cache_intermediate_ca && issuer in intermediate_cache ) + if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache ) { intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle; - for ( i in intermediate_cache[issuer] ) - intermediate_chain[i+1] = intermediate_cache[issuer][i]; + for ( i in intermediate_cache[issuer_name_hash] ) + intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i]; result = cache_validate(intermediate_chain); if ( result$result_string == "ok" ) @@ -188,7 +197,7 @@ event ssl_established(c: connection) &priority=3 { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, - $sub=c$ssl$subject, $conn=c, + $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); } } diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro new file mode 100644 index 0000000000..1d3db58494 --- /dev/null +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -0,0 +1,173 @@ +##! Perform validation of Signed Certificate Timestamps, as used +##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962 +##! for more details. + +@load base/protocols/ssl +@load protocols/ssl/validate-certs + +# We need to know issuer certificates to be able to determine the IssuerKeyHash, +# which is required for validating certificate extensions. +redef SSL::ssl_store_valid_chain = T; + +module SSL; + +export { + + type SctSource: enum { + SCT_X509_EXT, + SCT_TLS_EXT, + SCT_OCSP_EXT + }; + + type SctInfo: record { + version: count; + logid: string; + timestamp: count; + sig_alg: count; + hash_alg: count; + signature: string; + source: SctSource; + valid: bool &optional; + }; + + redef record Info += { + valid_scts: count &optional; + invalid_scts: count &optional; + valid_ct_logs: count &log &optional; + valid_ct_operators: count &log &optional; + valid_ct_operators_list: set[string] &optional; + }; + +} + +redef record SSL::Info += { + ct_proofs: vector of SctInfo &default=vector(); +}; + +event bro_init() + { + Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); + } + +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5 + { + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT); + } + +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5 + { + local src: SctSource; + if ( ! f?$info ) + return; + + if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" ) + src = SCT_OCSP_EXT; + else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" ) + src = SCT_X509_EXT; + else + return; + + if ( |f$conns| != 1 ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + + c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); + } + +# Priority = 2 will be handled after validation is done +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 + { + if ( is_orig ) + return; + + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) + return; + + local cert = c$ssl$cert_chain[0]$x509$handle; + local issuer_name_hash = x509_issuer_name_hash(cert, 4); + local valid_proofs = 0; + local invalid_proofs = 0; + c$ssl$valid_ct_operators_list = string_set(); + local valid_logs = string_set(); + local issuer_key_hash = ""; + + for ( i in c$ssl$ct_proofs ) + { + local proof = c$ssl$ct_proofs[i]; + if ( proof$logid !in SSL::ct_logs ) + { + # Well, if we don't know the log, there is nothing to do here... + proof$valid = F; + next; + } + local log = SSL::ct_logs[proof$logid]; + + local valid = F; + + if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) + { + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg); + } + else + { + # X.509 proof. Here things get awkward because we need information about + # the issuer cert... and we need to try a few times, because we have to see if we got + # the right issuer cert. + # + # First - Let's try if a previous round already established the correct issuer key hash. + + if ( issuer_key_hash != "" ) + { + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + + # Second - let's see if we might already know the issuer cert through verification. + if ( ! valid && issuer_name_hash in intermediate_cache ) + { + issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 ) + { + issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + } + # ok, if it still did not work - let's just try with all the certs that were sent + # in the connection. Perhaps it will work with one of them. + + if ( !valid ) + for ( i in c$ssl$cert_chain ) + { + if ( i == 0 ) # end-host-cert + next; + + issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4); + valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); + if ( valid ) + break; + } + } + + proof$valid = valid; + if ( valid ) + { + ++valid_proofs; + add c$ssl$valid_ct_operators_list[log$operator]; + add valid_logs[proof$logid]; + } + else + ++invalid_proofs; + } + + c$ssl$valid_scts = valid_proofs; + c$ssl$invalid_scts = invalid_proofs; + c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|; + c$ssl$valid_ct_logs = |valid_logs|; + } diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout new file mode 100644 index 0000000000..ec22e1c01b --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout @@ -0,0 +1,17 @@ +[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1410299366023, sig_alg=3, hash_alg=4, signature=0E\x02 )\x89\xd6\xb0S\xd3\xd2\xe9\x91\xbc\xf1\xb5@\xbe\x1e.\xe7\\xb4t'\xed\x8f\x9b\x02\xe9\xfa\xc2L\xba\xa2\xbe\x02!\x00\xafCdRq\x15)X@\x91\xc7\x08\x16\x96\x03\xa8s\xa5e\xa0l\xb8HVZ\xb6)\x83dm*\x9d, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_OCSP_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_OCSP_EXT, valid=T]] +Google 'Pilot' log, T +Google 'Aviator' log, T +Google 'Rocketeer' log, T +Google 'Pilot' log, T +Google 'Aviator' log, T +[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487726002208, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x89\x82s\x17\xd9\xcbo\xcf\xc3\xba\x91{\xeb\xe8\xf1\xbe\xc8)\x97\x1e\xe8A\x99P\x00\xaa\xb4\x15\xd97\x93\xca\x02!\x00\xca\xcd\xec\x9e\x12\xeed/v\xf5\xc32\xba\x92S\xe0 }\x85k\xe7\xd4TRp\xe8\x8d~\xba\x9d\x12\x16, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux-, timestamp=1487726003188, sig_alg=1, hash_alg=4, signature=\x04\xed\x08\xca\x8e\x1b\x8ba$\xe5\xe8{Y\x96'+\x06\x86\x87o\x1a=i5\x91\xc3\xfd\xf6\xbe\xeao;\xc8\x1c\x01j\xc0\x14\xea\x06\xd3\xe3#w,\x07\x06\xc3\xd0\xdc\xf2L:\xb0{\xfd.\x00\xdf\xc2\xb8w(\xaak\xfe^\xa0\x05\xe1\x84\xad\x1a!\xf2@/J\xcc\xcb8\xbb\xfa`;CF\F\x97t\xfew\xf5y\xfcZ\x08\xb82\x8c\x1dk, timestamp=1487726024253, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x99\x8c\xa5+u\xe1t\x08\x0a\xa9!\xed)\x9b\xb6\xccx\x8d0VN,RZ2\xd93\xdc\xa7 \xa5\xd3\x02!\x00\xc8\xde\x96\x8d\x02\xd6\xfcx\xdbM \x06\x1cq\xe5\x10\xe3 \x18B\\x1d1\x88\xb0\xeb\xf3\xf2\x9b\x99X\xb4, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487726001197, sig_alg=3, hash_alg=4, signature=0E\x02 F\xc2\xfb\x02\xfd\xa3RNy_\x16^\xb54-S\x90\xdbK\x97\x87\x00\x93\xa1\x0d'\xc0<\xbeu\xc4\xab\x02!\x00\xb4\x93\xbb\xe2\xee\x14X\xd4\xcf\xa4\xc1\xd8\xcf\xdaAoaD\xf0\xbbM7\xdb\xb0\xec\xca\x0f\x18\xcbe\x8d\xe9, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487726002855, sig_alg=3, hash_alg=4, signature=0D\x02 I\x06\xb4\x84Zo\xf49\x85\xd2\xbb\xc8\x8bb\x9b\xac\xbd\x84\x00\xf2f\xd0\x14\x0cV\x15_\xc7\x09&\xc1\x9f\x02 M\x0c\x05\x01ab\xe5\x97\xf9\xf8'\x02\xf4\x198\x97\xd2>xa\xc2\xda\xc1saw\xd8]\xc8\x97\xd6], source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487726000774, sig_alg=3, hash_alg=4, signature=0E\x02!\x00\xb1\x1atJ4\x80\xbd\xc5\x97\x7f(\xae^N\xe3WE-AO\x14X\x0aB\x1e\xc4\xb36\x00TVg\x02 o1hk\xec\x9fFG\xa4\xd2&\x97>E\x87\x7f\xcf\x1c\xc8\xdb>j\xc9\xde\xf5\x1e\x97\xf8\xc3e\xcc\x11, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487725321667, sig_alg=3, hash_alg=4, signature=0E\x02 S\xc6N8\xf0\x84\xe5\xc8\xf5C\x87\xf6\xedU\x10\x0b}u2\xd2\x08+\x04\xbbS\xf6a\xc1\xb0\x94\x04\xc3\x02!\x00\xf4\xa2g\xa5!_\xee\x13\xd5\x0f\xd1\xb2\xe8o\x99\x10m\xa9\x0f\xd7W\xd5IH\xaa\x89\xdews\xe3=\x95, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487725322003, sig_alg=3, hash_alg=4, signature=0D\x02 \x04\x9d.\x13Q\xed\xed\xf1l\x9f\xa1\x94\x9dd\xfe\x9c0V|\xb6\xa8|9L5/\xaa\x19\xc7*\xed\xcf\x02 0\x0e+\xe3\xa4S\xfe\x85\xa6X\xcc\x06\xf2\x13\xe9\x0a\x87\xa0I\xdf\x8dr\x13xb\x12\x8c\xe6\xdd\x8f\xa8\xde, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487725322768, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xd37.:`\x98\x08\xb8\xf8\xc0\xad\xb1z\xe2]\x00\xb8\x08"\x97\xc8P\xeb1\x97\x16\x95!\xd0T\xb5\xd6\x02!\x00\xfe\xb8\xa3\xbf\x12\xb6%\x97\x9b\x0f\x0f\x9fc\xccP\xa0\x07\x0c\xe9\xf2\xda\xe9\\x0a\x8e\xeag\x8a\x131\x96?, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487725321891, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xe7\x14'\xc8\x03?\xfc\xf1\xc6\x86\xe4g\xb6s\x034<\xf0\x96\xf0\xe0\x1a\xb8\x953\xe0\xf8U\x1d\x1c\xbf\xe6\x02!\x00\xcag\xf24\xcc\x86\x1aYd\xfb{\x82N\xeb,\xa3\xecu\xf1i\x01\xbc\xd4b\x1a\x9e\xa8\xc4\xca\x8f\x01\x8b, source=SSL::SCT_X509_EXT, valid=T]] +Google 'Pilot' log, T +Venafi log, T +Venafi Gen2 CT log, T +DigiCert Log Server, T +Google 'Rocketeer' log, T +Google 'Skydiver' log, T +Google 'Pilot' log, T +DigiCert Log Server, T +Google 'Rocketeer' log, T +Google 'Skydiver' log, T diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log new file mode 100644 index 0000000000..0696d31ffe --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log @@ -0,0 +1,20 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-03-22-01-52-35 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status valid_ct_logs valid_ct_operators +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string count count +1484228945.191472 CHhAvVGS1DHFjwGM9 192.168.178.73 60640 97.107.139.108 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 ritter.vg F - http/1.1 T FDWgotac24NQJKrRi,FUHPFD4bNbAmVvzf99,FL5BECVkzTuWWefyh (empty) CN=ritter.vg,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - ok 3 1 +#close 2017-03-22-01-52-35 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-03-22-01-52-36 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status valid_ct_logs valid_ct_operators +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string count count +1490146178.647622 CHhAvVGS1DHFjwGM9 192.168.17.58 51995 97.107.139.108 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 ritter.vg F - h2 T Fui6LM65IdSB9LD25,FIwxeCtbWPXg98zO1 (empty) CN=ritter.vg,O=Tom Ritter\\, LLC,L=Urbana,ST=Illinois,C=US,serialNumber=0600438893,jurisdictionST=New Jersey,jurisdictionC=US,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - ok 6 3 +#close 2017-03-22-01-52-36 diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..6d19d32049e4b5bcf2359f535836261fb4d8a2cf GIT binary patch literal 7982 zcmd^Ec{o+w+ur+39USA4c{q}x#M#G?LWT+<5@pI8$Iu}n^HkxKql7f7M8sQBN`(w5 z(jZi#Od&%98A3>eZ*5+^rM~y~{{H&@`1Zcmb?v?OUiba1wVri9&tCgw`OP#8goFM* za1ab`m~}5~#tI0K8MsDEfn2YBv~@78?2*oWBBT#Ny7C3OkS@W}p!71Y2HoSZXO$>i z{5qsv6-COy%*?P{AP9rQ=fYSl9)^kR@v^U#(Puc!9Qv6zY|vV8kCr*yISznMfdGmw zq(q4Oh$5p5aB-FBVX9#aU{H(T3wqFCJco|MV6jAifZE#%5Lbe0wESYPytOTA@6wV5 z_NoEY!{$5`D4=N$ey_zgnmzfm&9;HK4-mAZxtR=;F=TA1LMgR$MJZC9S$(;b zT*?ofgOVXCqz17As2f>X5HtfWK-VBHhy+1wzV811uD(iv3`h{vNrS=(@k4w#ED?u; z@mL}r4-*Ll7z0Ci2tV5n;sY=7pv^IE%0xGR|J_uY5-q?S)N(-JJxCr>fROhL15e%Aeu#1R<^I@@A3>Jpi z!AS%d;=n8+aN;0N7!wnNVlIY00;>Nf2kMZu;Uq{4^cO9^xVU`bH0t7YUlzFd;nyLZ z8s7Tbn_u+3Pk>Miw5Rfp9B zmXo($Jf(*5xCbn5I-iZfPn?-)IpS`46Dp-b*qbQ%oX>GUI4lI58uc<@1H^}o#l}EE zP(~qJLavYve{?bVLN#MIyO!E%+*i>z1zkZ;xhgnYcpwP2bEfN3z^cbW8xRAG6m*E` zC)iZw{k**BXjpIe(A|nEN4#zX z5Ca#*^%E=OMGw=LzUvONJte0=U`2b2tZ`R6T0S*)_oKIFg&4fEl>Z~4u1h*-#Ues^ zP0R2`jhwJ4CFsrlf*|=UkLm5H_>KeFB2vS;RO9NZRmBsIn(GYgwOj?8cj!|?ZF*}$ z7H@miIdFa4W5DKE#wya4#eo+ypof+_y?gF#Y~vL_9-egf26=L*YEm_7cxRb^4wIp| z9PfT+xm!o|qS}Cpjdh8Ik=qns%t(}GL~IWXEKqpp(^vW-0pbmtvd!J$As3dhWn{yq zDe%c zhd+@$Q>uSiQhs%C9Aag*!op6uNu}iy<EPG zF+}t+6odPdn5lFNvk(V??Rlz-mI<#-5~HExX`FJUT6Y5;Tmihf$BR1$_-$T3&nRnr z-mK?MUq4uEs{T5suaaA+$~CSB3V;SoN^S={b1dpu>n?evBV|WA_dbUl-^TsWgRn!P zm#3=cc-LN<qWq#BamCR^q{}mCzO| z28QBIbMxpsZ(x{FE1RgTA07T&tm3uy&L?f75{cvGuGPFi)bS7&h&ou}q?a5JsRklF zg@~L8lgNfJ2}7w^42;3>aBEEyFSaI(sP8*CJYuS~5#c1TEoW_Dec^;*4m^Ye&^Qn_ z0(L8oK*nsfq%B6s=nXrWwBDWJzRuOxpJL?YOcO=~(P|DdPf$>hk_&j`3?3;td+(yD zBFg9^ELq`u3(F09$`t)ze^)OTR~L#E-P7HL?(gpHMX_}C4RrOTtkXjz1UYHyh_W&b znLX^l?J97)lBSH_+aZw;Y2t_|3d~L7H}`c9r2D&4Hu*B>Uhbi@STr)iOW;r-z&Mzx zu7!cIv*wE;!ar7G$n0jWK@?+GUq9E7*%km0Pi99}B8aNWs#U91e(pUl!i`cA$wVVh zPj@eGcRw087%)(^h)me(>qPgW(}WNKw1S%{OPesBd_6b$VLML-?J-wY? zcxIX6(9N6T{q-)G`wqtO!#CfbYX6eFGlR*&L)?&6MK5KSRgSFpT9N3P!tWnrYrn6P zL*j^xvs}@{=Ig>wiYlbVJjx|GrcJNLRDJQBcu_sHPuurt^0iK>NL;ZH*E;yrl7k$wqe^aU=Q0FIw2`0YhraLOIu z2vS^&lZh<1!RJ^c0Da7h^FlnCf6pY76ZQP>`4^KkcNxe)7Xfp2S^QKZ;P1U_uEL4# z=jXZ8MakO>ECHs_a;4utLAX#_ZWx}y;jkEd>YSA_I01y8Km>k{$1lRd->)!pR!X8) zBC4s%sR&C6P3|Cz?g+{L0xBVi7X=E8IdFyMj{W+w}D~Y9wZc5 zI)9JAETO;p1mZLc}TBip_!yh4` z{UW2Ik3rDo`GvqfD=zgR7#s%2gg=1N1$O|o|5y2sRcrZowWnA>v?Oz2|t2gAogBvbciM+YLf5`KE+KFVB>2rwHp8U&uR&P|JW(hxD-v1m!LAVsU zGAyT~F4|NRhRHqb(Wypn;(W=$PJFTNTaR3B14+ccim6teAnp5}?$xO)X*ixH7L1o> z-w5se11cacNvtsMr6mfSl&aa1R}cC-U66i{FJC4xiJSYpbG3QuB2v$AbB{fH{6|I% znRZGC5dW*FYSoth1MvrbxeBb#x1mR@w~Ty0tg6=Fslj%Uf|Dxk<6FhW?!5=Zm5gE4 zYL7YD(&^|nkW(OTwUMLIX)1I#DY^H6LB<~h)9juaA+54h zZ7KDX_>N8C5_?Soq&`}F9=%5JjdH7Th-es(x#zQ{R_m1&S>@zmRQVf#@;?LL=4e@% z^W#d3U^M4{ZvV6LTYR2Xej%uzV?P85N?sal&}H`*v`B?MS6iH5Sh}Au4v8)x>|t{w zk@ucaZ75E;ThQPwnBIOCqA2z?1&U-(boM(qtGdUWrt5OPDYf+A$RIv_8PTJ#HQ7P$ zqSAHPqtZcj@~KIyl*tU?lQNY@`)Cp__rMY-BY~Z=TU(YeI&^&^ViQN3i@zMrs!{PM z>Ub_#N9X^Fm{f>5ib=Fye-)ez;fjDf=OavP%3rw&DI{}!PAu<9$}ze_r-%6d1!IqR z{v4hE``knUSq7Fhh{#Lkm4LFro#95&^YaVvrF%KMQuM7T7T(_e^C^i64b4gBau7jI zBJv2=(C z(NPk~x-4O$zRX|HI2(*Sku`Hcb|r!)*EkSwq5mqr z{+-|aHvRcAKf0k^?v5S5X9&MMEh|FAd~$YCC||G)XC*K>zb1jz!NT-EOdV7e^Dm1F ztY)!a9yE?wTdz}*X_~!A^)emPxgIXnv$6)!xNxwEJqPIGj<*t6_Zw zRkucC`K>Nftfx>?WdjsSJrbpnF+S})i2pQ;m&5;A{dZ5WWYcPmB7 zP~F@&Hk>J1>vTjBYu8*}k@jqb#RbT@*RRN@!bna!(IqNn6<4;in^uuUq)kZr3eual zUA?s7qSQT}Ln~f(lms16$39cet2i4eVtmX@)8K5>^!^K9Q)1JrIk(?h^Bfm^gr7f5 z`P^gZqWy!sw5@S=R&E(fc4uit`ZOh9*4G?)H+Erj>*Fw|Zf}x*Z$b0;y=cx5^P>q# zLYhZy<%ZPc$ya3ez4{UgKGoni0ucNfq^k|UU+cg&Un&!>2A35Cwz(t^0dB{H3qe&L z5}9%VB&olfL?Lcv1bjfL0I8y>f{!RW#1HX7jKHTHUV#gX5y3+^exs3+7@>QCgwqe( zbQRq+eRjTm&-y*uub+t#&@T+Byx*(T5kw7qLfQS!Q%=;B6+SZ+)-GY&l}f$JbtYJA zCGWWz;Zz-ovv!d(9OUHut1n0t@rBxoui>3cip$v5dECpoOg z4GKJBjN{G=I&5I+)7NvB{Ymdp%EUMlKus~QuC$abz-#{<{r9pf?gw}?6NP`xLa zvyN(Vh3~EE)RVKJPecVCBxdY!B2Wz-#_IX$OT4yTvhmlj5kFWw)#^5&(kL)`-t~P- zu+_N0?Suw~B-sVWZyWtWhh7&TvoXBE@KU9?ZBJf=rR|=2>f|!@eyQ7CA{Tl+#oL~r zT^xS@=4C~$7#*l^X{P8QwM&QhXks=U&HA)~4S(7($EG9*Ho`)JdN`X!;X7DY zImewg!r@Y9+YgjIX5d#XT@m1w_U7zOj#xr^VK-G~Vwp9+|Jp}RhhK-q?bs0-rl>Ri zm1R1yc*~#+&@f2OQmxRuOUAi&f02J#vFP!Q^egD}@-l^}@I83$pY|bN@;Z`w+ zBKXfJPO~VvzoJ-!zXp;KE?fQ$3fDM_vPqF@q=;ym?R6z~V5U14^s7%~89{8~NSjDdq(4K5kUx+_iH zXD)qO@WM7*X24}LzV|0o1az`hrmQF1&T}je3fmjRb%%tJIVLhZkbYkMrZB}Z{YlHj zX?`$cFpSQdJTPbW@cE)9v!hmzwO(Y(*Rs{H#kgpc=BjdGokhYfq~~4dAL!gNQb`cl zl$*N z2D+JXQEygr;bg6hkMD+#?zgJNK9PwMI5B%2ybyONJS{*KX(a zyglBE)0D4HDYWm%hvnms#OtdzT(>>FJ;%3%9Ez8|x{;&lx{WWT=VoK6a?J-+cjVrS{Gk4PG{)sC+EHwq$YowN2x57}kAGVs}` ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log + +@load protocols/ssl/validate-sct.bro + +module SSL; + +event ssl_established(c: connection) + { + print c$ssl$ct_proofs; + for ( i in c$ssl$ct_proofs ) + { + local proof = c$ssl$ct_proofs[i]; + local log = SSL::ct_logs[proof$logid]; + print log$description, proof$valid; + } + } From aec62aeee9c8a61251ea56b6d73ca0b523ff5d81 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 21 Mar 2017 19:10:53 -0700 Subject: [PATCH 069/147] SCT: Add caching support for validation --- scripts/policy/protocols/ssl/validate-sct.bro | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 1d3db58494..e28b89de88 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -40,6 +40,9 @@ export { } +global recently_validated_scts: table[string] of bool = table() + &read_expire=5mins &redef; + redef record SSL::Info += { ct_proofs: vector of SctInfo &default=vector(); }; @@ -91,6 +94,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 return; local cert = c$ssl$cert_chain[0]$x509$handle; + local certhash = c$ssl$cert_chain[0]$sha1; local issuer_name_hash = x509_issuer_name_hash(cert, 4); local valid_proofs = 0; local invalid_proofs = 0; @@ -110,12 +114,20 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 local log = SSL::ct_logs[proof$logid]; local valid = F; + local found_cache = F; - if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) + local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature)); + if ( validate_hash in recently_validated_scts ) + { + valid = recently_validated_scts[validate_hash]; + found_cache = T; + } + + if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) ) { valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg); } - else + else if ( found_cache == F ) { # X.509 proof. Here things get awkward because we need information about # the issuer cert... and we need to try a few times, because we have to see if we got @@ -155,7 +167,11 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 } } + if ( ! found_cache ) + recently_validated_scts[validate_hash] = valid; + proof$valid = valid; + if ( valid ) { ++valid_proofs; From b8e81029f87c858a79b86f85e879e54abebc4347 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 27 Mar 2017 20:13:12 +0000 Subject: [PATCH 070/147] TLS-SCT: compile on old versions of OpenSSL (1.0.1...) --- src/file_analysis/analyzer/x509/functions.bif | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 83e73e5d46..80fc3bb9af 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -600,14 +600,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa { x = X509_dup(x); assert(x); - #ifdef NID_ct_precert_scts +#ifdef NID_ct_precert_scts int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); if ( pos < 0 ) { reporter->Error("NID_ct_precert_scts not found"); return new Val(0, TYPE_BOOL); } - #else +#else int num_ext = X509_get_ext_count(x); int pos = -1; for ( int k = 0; k < num_ext; ++k ) @@ -622,9 +622,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa break; } } - #endif +#endif X509_EXTENSION_free(X509_delete_ext(x, pos)); +#ifdef NID_ct_precert_scts assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 ); +#endif } unsigned char *cert_out = nullptr; @@ -684,7 +686,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa goto sct_verify_err; } +#ifdef NID_ct_precert_scts success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len()); +#else + // older versions of OpenSSL use a non-const-char *sigh* + // I don't think they actually manipulate the value though. + // todo - this needs a cmake test + success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len()); +#endif EVP_MD_CTX_destroy(mdctx); return new Val(success, TYPE_BOOL); From d531a5405ae932425fef157aed0a544a08e986b0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 29 Mar 2017 12:40:14 -0700 Subject: [PATCH 071/147] SSL: Fix type of ssl validation result --- scripts/policy/protocols/ssl/validate-certs.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 4c100ac413..c50da10380 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -21,7 +21,7 @@ export { validation_status: string &log &optional; ## Result of certificate validation for this connection, given ## as OpenSSL validation code. - validation_code: count &optional; + validation_code: int &optional; ## Ordered chain of validated certificate, if validation succeeded. valid_chain: vector of opaque of x509 &optional; }; From a334247478574d130f748d27bbc40328a0415b8d Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 3 May 2017 22:06:24 -0700 Subject: [PATCH 072/147] SCT Validate: make caching a bit less aggressive. This triggers a re-validation of the SCT when the certificate validation status changed. This means that a SCT will show as valid if the certificate chain could be validated and can now be used to determine the correct issuer key hash. --- scripts/policy/protocols/ssl/validate-sct.bro | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index e28b89de88..385621afde 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -116,7 +116,10 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 local valid = F; local found_cache = F; - local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature)); + local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source); + if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code ) + validatestring = cat(validatestring, c$ssl$validation_code); + local validate_hash = sha1_hash(validatestring); if ( validate_hash in recently_validated_scts ) { valid = recently_validated_scts[validate_hash]; From 876f492a355222f8e70a295cb4ca6f444c53c12a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 2 May 2017 13:47:46 -0700 Subject: [PATCH 073/147] OCSP/TLS/SCT: Fix a number of test failures. These were caused by earlier code updates. This commit also removes the ocsp stapling logging script; it was defunctional and the information provided by it wnever really has been especially interesting. --- .../policy/protocols/ssl/ocsp-stapling.bro | 118 ------------------ scripts/test-all-policy.bro | 2 + .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 6 +- testing/btest/Baseline/plugins.hooks/output | 55 ++++++-- .../out | 8 +- .../intel-all.log | 16 +-- .../all-events-no-args.log | 2 + .../all-events.log | 106 +++++++++------- .../ocsp-stapling.log | 10 -- .../policy/protocols/ssl/ocsp-stapling.bro | 6 - 11 files changed, 122 insertions(+), 212 deletions(-) delete mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log delete mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro deleted file mode 100644 index 58e378ab65..0000000000 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ /dev/null @@ -1,118 +0,0 @@ -#! Log ocsp stapling information - -module OCSP_STAPLING; - -export { - redef enum Log::ID += { LOG }; - type Info: record { - ## timestamp - ts: time &log; - - ## status type - status_type: count &log; - - ## connection id - cid: conn_id &log; - - ## connection uid - cuid: string &log; - - ## size of this response - size: count &log; - - ## responseStatus - responseStatus: string &log; - - ## responseType - responseType: string &log; - - ## version - version: count &log; - - ## responderID - responderID: string &log; - - ## producedAt - producedAt: string &log; - - ## NOTE: the following are specific to one cert id - ## the above are for one message which may contain - ## several responses - - ## index - idx: count &log &optional; - - ## cert id - cert_id: OCSP::CertId &log &optional; - - ## certStatus (this is the response to look at) - certStatus: string &log &optional; - - ## thisUpdate - thisUpdate: string &log &optional; - - ## nextUpdate - nextUpdate: string &log &optional; - }; -} - -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) - { - local resp: OCSP::Response = ocsp_parse_response(response); - - # TOCHECK: is this right? - local resp_size: count =|response|; - - if (resp?$responses) - { - local num: count = 0; - for (x in resp$responses) - { - num += 1; - local single_resp: OCSP::SingleResp = resp$responses[x]; - local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm, - $issuerNameHash = single_resp$issuerNameHash, - $issuerKeyHash = single_resp$issuerKeyHash, - $serialNumber = single_resp$serialNumber]; - - local resp_rec: Info = [$ts = network_time(), - $status_type = status_type, - $cid = c$id, - $cuid = c$uid, - $size = resp_size, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt, - $idx = num, - $cert_id = cert_id, - $certStatus = single_resp$certStatus, - $thisUpdate = single_resp$thisUpdate]; - - if (single_resp?$nextUpdate) - resp_rec$nextUpdate = single_resp$nextUpdate; - Log::write(LOG, resp_rec); - } - } - else - { - # no response content? this is weird but log it anyway - local resp_rec_empty: Info = [$ts = network_time(), - $status_type = status_type, - $cid = c$id, - $cuid = c$uid, - $size = resp_size, - $responseStatus = resp$responseStatus, - $responseType = resp$responseType, - $version = resp$version, - $responderID = resp$responderID, - $producedAt = resp$producedAt]; - Log::write(LOG, resp_rec_empty); - } - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]); - } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a022060cd4..7c828241d0 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -34,6 +34,7 @@ @load frameworks/files/entropy-test-all-files.bro #@load frameworks/files/extract-all-files.bro @load frameworks/files/hash-all-files.bro +@load files/x509/log-ocsp.bro @load frameworks/packet-filter/shunt.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @@ -98,6 +99,7 @@ #@load protocols/ssl/notary.bro @load protocols/ssl/validate-certs.bro @load protocols/ssl/validate-ocsp.bro +@load protocols/ssl/validate-sct.bro @load protocols/ssl/weak-keys.bro @load tuning/__load__.bro @load tuning/defaults/__load__.bro diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index d53b14ce58..52a660261c 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2017-02-28-17-15-30 +#open 2017-05-02-20-38-47 #fields name #types string scripts/base/init-bare.bro @@ -157,6 +157,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro build/scripts/base/bif/plugins/Bro_X509.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro @@ -167,4 +168,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2017-02-28-17-15-30 +#close 2017-05-02-20-38-47 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index e11edefe16..75ef872a95 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2017-02-28-17-19-41 +#open 2017-05-02-20-39-05 #fields name #types string scripts/base/init-bare.bro @@ -157,6 +157,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_X509.events.bif.bro build/scripts/base/bif/plugins/Bro_X509.types.bif.bro build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro @@ -284,6 +285,7 @@ scripts/base/init-default.bro scripts/base/protocols/ssl/consts.bro scripts/base/protocols/ssl/main.bro scripts/base/protocols/ssl/mozilla-ca-list.bro + scripts/base/protocols/ssl/ct-list.bro scripts/base/protocols/ssl/files.bro scripts/base/files/x509/__load__.bro scripts/base/files/x509/main.bro @@ -355,4 +357,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2017-02-28-17-19-41 +#close 2017-05-02-20-39-05 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 420d20ae12..a4250da2ca 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -151,7 +151,16 @@ 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> +0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> @@ -247,7 +256,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -377,7 +386,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -523,6 +532,7 @@ 0.000000 MetaHookPost LoadFile(./Bro_Unified2.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_X509.types.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./Bro_XMPP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./acld) -> -1 @@ -542,6 +552,7 @@ 0.000000 MetaHookPost LoadFile(./consts) -> -1 0.000000 MetaHookPost LoadFile(./consts.bro) -> -1 0.000000 MetaHookPost LoadFile(./contents) -> -1 +0.000000 MetaHookPost LoadFile(./ct-list) -> -1 0.000000 MetaHookPost LoadFile(./data.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./dcc-send) -> -1 0.000000 MetaHookPost LoadFile(./debug) -> -1 @@ -868,7 +879,16 @@ 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) +0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) @@ -964,7 +984,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1094,7 +1114,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1240,6 +1260,7 @@ 0.000000 MetaHookPre LoadFile(./Bro_Unified2.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.functions.bif.bro) +0.000000 MetaHookPre LoadFile(./Bro_X509.ocsp_events.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_X509.types.bif.bro) 0.000000 MetaHookPre LoadFile(./Bro_XMPP.events.bif.bro) 0.000000 MetaHookPre LoadFile(./acld) @@ -1259,6 +1280,7 @@ 0.000000 MetaHookPre LoadFile(./consts) 0.000000 MetaHookPre LoadFile(./consts.bro) 0.000000 MetaHookPre LoadFile(./contents) +0.000000 MetaHookPre LoadFile(./ct-list) 0.000000 MetaHookPre LoadFile(./data.bif.bro) 0.000000 MetaHookPre LoadFile(./dcc-send) 0.000000 MetaHookPre LoadFile(./debug) @@ -1584,7 +1606,16 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert) +0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) @@ -1680,7 +1711,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1810,7 +1841,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2195,7 +2226,7 @@ 1362692527.009775 MetaHookPost CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> +1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> 1362692527.009775 MetaHookPost CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009775 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -2204,7 +2235,7 @@ 1362692527.009775 MetaHookPost CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost DrainEvents() -> -1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false +1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false 1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -2220,7 +2251,7 @@ 1362692527.009775 MetaHookPre CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) 1362692527.009775 MetaHookPre CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) +1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) 1362692527.009775 MetaHookPre CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009775 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2229,7 +2260,7 @@ 1362692527.009775 MetaHookPre CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre DrainEvents() -1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) +1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) 1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -2246,7 +2277,7 @@ 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]) 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) +1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]) 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -2255,7 +2286,7 @@ 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookDrainEvents -1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]) +1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]) 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index d7c0aef00d..90e5e79ef0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -60,10 +60,8 @@ FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #4, 1406, 0 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp] -FILE_BOF_BUFFER -0\x82\x05z0\x82\x04b\xa0\x03\x02 MIME_TYPE -application/pkix-cert +application/x-x509-user-cert source: SSL MD5: 1bf9696d9f337805383427e88781d001 SHA1: f5ccb1a724133607548b00d8eb402efca3076d58 @@ -73,10 +71,8 @@ FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #5, 1092, 0 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp] -FILE_BOF_BUFFER -0\x82\x04@0\x82\x03(\xa0\x03\x02 MIME_TYPE -application/pkix-cert +application/x-x509-ca-cert source: SSL MD5: 48f0e38385112eeca5fc9ffd402eaecd SHA1: 8e8321ca08b08e3726fe1d82996884eeb5f0d655 diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log index 6bb3e47e60..25c032e488 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log @@ -3,23 +3,23 @@ #empty_field (empty) #unset_field - #path intel -#open 2016-08-05-13-22-37 +#open 2017-05-02-20-45-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1416942644.593119 CHhAvVGS1DHFjwGM9 192.168.4.149 49422 23.92.19.75 443 www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 Fi6J8q3lDJpbQWAnvi application/pkix-cert 23.92.19.75:443/tcp -#close 2016-08-05-13-22-37 +1416942644.593119 CHhAvVGS1DHFjwGM9 192.168.4.149 49422 23.92.19.75 443 www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 Fi6J8q3lDJpbQWAnvi application/x-x509-user-cert 23.92.19.75:443/tcp +#close 2017-05-02-20-45-26 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path intel -#open 2016-08-05-13-22-37 +#open 2017-05-02-20-45-27 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1170717505.735416 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FeCwNK3rzqPnZ7eBQ5 application/pkix-cert 194.127.84.106:443/tcp +1170717505.735416 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FeCwNK3rzqPnZ7eBQ5 application/x-x509-user-cert 194.127.84.106:443/tcp 1170717505.934612 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FeCwNK3rzqPnZ7eBQ5 - - -1170717508.883051 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FjkLnG4s34DVZlaBNc application/pkix-cert 194.127.84.106:443/tcp +1170717508.883051 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FjkLnG4s34DVZlaBNc application/x-x509-user-cert 194.127.84.106:443/tcp 1170717509.082241 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FjkLnG4s34DVZlaBNc - - -1170717511.909717 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FQXAWgI2FB5STbrff application/pkix-cert 194.127.84.106:443/tcp +1170717511.909717 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FQXAWgI2FB5STbrff application/x-x509-user-cert 194.127.84.106:443/tcp 1170717512.108799 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FQXAWgI2FB5STbrff - - -#close 2016-08-05-13-22-38 +#close 2017-05-02-20-45-27 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index 64cbb5f748..8cd2a5e56d 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -173,6 +173,7 @@ 1437831799.764576 file_new 1437831799.764576 file_over_new_connection 1437831799.764576 file_sniff +1437831799.764576 file_hash 1437831799.764576 x509_certificate 1437831799.764576 x509_extension 1437831799.764576 x509_extension @@ -190,6 +191,7 @@ 1437831799.764576 file_new 1437831799.764576 file_over_new_connection 1437831799.764576 file_sniff +1437831799.764576 file_hash 1437831799.764576 x509_certificate 1437831799.764576 x509_extension 1437831799.764576 x509_extension diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index a42b891e6a..70ed522a0d 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -315,7 +315,7 @@ 1254722770.692743 file_sniff [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1254722770.692743 file_state_remove [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -359,7 +359,7 @@ 1254722770.692804 file_sniff [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T] 1254722770.692804 file_state_remove [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a

Hello

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

I send u smtp pcap file

\x0d\x0a\x0d\x0a

Find the attachment

\x0d\x0a\x0d\x0a

 

\x0d\x0a\x0d\x0a

GPS

\x0d\x0a\x0d\x0a
\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=T, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -415,7 +415,7 @@ 1254722771.494181 file_sniff [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a\x09}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a - Strip executable\x0d\x0a - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a compiler: -D__DEBUG__\x0d\x0a* Each project creates a _private.h file containing version\x0d\x0a information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={\x0a\x0a}, cc=, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -708,7 +708,7 @@ 1437831787.905375 file_sniff [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]] + [1] meta: fa_metadata = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T] 1437831787.905375 file_state_remove [0] f: fa_file = [id=FKX8fw2lEHCTK8syM3, parent_id=, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits , to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=, msg_id=, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=, first_received=, second_received=, last_reply=354 End data with ., path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=T, seen_bytes=204, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] @@ -844,151 +844,161 @@ [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=, mime_types=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=, cert_chain_fuids=, client_cert_chain=, client_cert_chain_fuids=, subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] meta: fa_metadata = [mime_type=application/x-x509-user-cert, mime_types=, inferred=F] + +1437831799.764576 file_hash + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = sha1 + [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 1437831799.764576 x509_certificate - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=F, path_len=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication] 1437831799.764576 x509_extension - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com] 1437831799.764576 x509_ext_subject_alternative_name - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=, basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=, email=, ip=, other_fields=F] 1437831799.764576 file_hash - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] kind: string = sha1 - [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = md5 + [2] hash: string = 1bf9696d9f337805383427e88781d001 1437831799.764576 file_state_remove - [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_new - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 file_over_new_connection - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [2] is_orig: bool = F 1437831799.764576 file_sniff - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] meta: fa_metadata = [mime_type=, mime_types=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] meta: fa_metadata = [mime_type=application/x-x509-ca-cert, mime_types=, inferred=F] + +1437831799.764576 file_hash + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = sha1 + [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 1437831799.764576 x509_certificate - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] cert_ref: opaque of x509 = [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0] 1437831799.764576 x509_ext_basic_constraints - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::BasicConstraints = [ca=T, path_len=0] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a] 1437831799.764576 x509_extension - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a] 1437831799.764576 file_hash - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] - [1] kind: string = sha1 - [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [1] kind: string = md5 + [2] hash: string = 48f0e38385112eeca5fc9ffd402eaecd 1437831799.764576 file_state_remove - [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=] 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 11 [3] length: count = 2507 1437831799.764576 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg_type: count = 14 [3] length: count = 0 1437831799.838196 ssl_handshake_message - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T [2] msg_type: count = 16 [3] length: count = 258 1437831799.838197 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T 1437831800.045701 ssl_change_cipher_spec - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F 1437831800.045701 ssl_established - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 net_done [0] t: time = 1437831800.217854 @@ -1019,10 +1029,10 @@ [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_pending - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 bro_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log deleted file mode 100644 index c8d4c9d8e6..0000000000 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ocsp-stapling -#open 2015-07-08-21-19-54 -#fields ts status_type cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid size responseStatus responseType version responderID producedAt idx cert_id.hashAlgorithm cert_id.issuerNameHash cert_id.issuerKeyHash cert_id.serialNumber certStatus thisUpdate nextUpdate -#types time count addr port addr port string count string string count string string count string string string string string string string -1398367809.961683 1 192.168.4.149 56253 131.253.61.82 443 CXWv6p3arKYeMETxOg 1995 successful Basic OCSP Response 0 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder 20140421080410Z 1 sha1 39AF18B41C021F39109656FDC6D358EF74858B99 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF 62035C00776A614EAF430C6A5C56E2BD good 20140421080410Z 20140428080410Z -#close 2015-07-08-21-19-54 diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro deleted file mode 100644 index 63b7e29e03..0000000000 --- a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ /dev/null @@ -1,6 +0,0 @@ -# This tests logging of ocsp stapling message - -# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT -# @TEST-EXEC: btest-diff ocsp-stapling.log - -@load protocols/ssl/ocsp-stapling From eb50b3fed1e55cdf8df8320d116cacade0ce2e02 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 11 May 2017 22:50:20 -0700 Subject: [PATCH 074/147] Change end-of-connection handling for validation Move from using CCS (before: established) to just doing certificate validation at the end of the connection. This is (again) more robust in the case of aborted connection. I am moving this into a hook because of the complexity of the end-of-connection handling for SSL. This should probably be extended to not just handle SSL validation, but all other logging constructs that are currently called in _established. --- scripts/base/protocols/ssl/main.bro | 14 ++++++++++++++ scripts/policy/protocols/ssl/validate-certs.bro | 11 +---------- scripts/policy/protocols/ssl/validate-sct.bro | 7 ++----- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index dbe5f2bccd..54ac8548ba 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -103,6 +103,9 @@ export { ## Event that can be handled to access the SSL ## record as it is sent on to the logging framework. global log_ssl: event(rec: Info); + + # do everything you want to do right before logging here + global ssl_finishing: hook(c: connection); } redef record connection += { @@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7 c$ssl$established = T; } +event ssl_established(c: connection) &priority=20 + { + hook ssl_finishing(c); + } + event ssl_established(c: connection) &priority=-5 { finish(c, T); } +event connection_state_remove(c: connection) &priority=20 + { + if ( c?$ssl && ! c$ssl$logged ) + hook ssl_finishing(c); + } + event connection_state_remove(c: connection) &priority=-5 { if ( c?$ssl ) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index c50da10380..c2f4e569a2 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result return result; } -# The server issues CCS only after sending the certificates. This should -# be more robust than using SSL_established, on the off chance that we don't -# get that event. -# -# This is not TLSv1.3 compatible - but we will not have certificates in -# that case in any way, so it even saves us a few cycles. -event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3 +hook ssl_finishing(c: connection) &priority=20 { - if ( is_orig ) - return; - # If there aren't any certs we can't very well do certificate validation. if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index 385621afde..bf7d8745bb 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); } -# Priority = 2 will be handled after validation is done -event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 +# Priority = 19 will be handled after validation is done +hook ssl_finishing(c: connection) &priority=19 { - if ( is_orig ) - return; - if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) return; From e1d42ec99ca0dcf79ddc3901a0a58af4fb39c6e0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 09:55:17 -0700 Subject: [PATCH 075/147] SCT validation: fix small memory leak (public keys were not freed) --- src/file_analysis/analyzer/x509/functions.bif | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 80fc3bb9af..478332aecf 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -695,12 +695,15 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len()); #endif EVP_MD_CTX_destroy(mdctx); + EVP_PKEY_free(key); return new Val(success, TYPE_BOOL); sct_verify_err: if (mdctx) EVP_MD_CTX_destroy(mdctx); + if (key) + EVP_PKEY_free(key); cerr << errstr << endl; reporter->Error("%s", errstr.c_str()); return new Val(0, TYPE_BOOL); From 7a1ec3501de5e345ceb4678cfbf60d63c9089a92 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 19:38:36 -0700 Subject: [PATCH 076/147] SCT: another memory leak in SCT parsing. --- src/file_analysis/analyzer/x509/X509Common.cc | 1 + src/file_analysis/analyzer/x509/functions.bif | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index 367b7e562a..dba593a3eb 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -213,6 +213,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); } + M_ASN1_OCTET_STRING_free(inner); OPENSSL_free(ext_val_second_pointer); interp->FlowEOF(); diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 478332aecf..8212835e2e 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -703,8 +703,8 @@ sct_verify_err: if (mdctx) EVP_MD_CTX_destroy(mdctx); if (key) - EVP_PKEY_free(key); - cerr << errstr << endl; + EVP_PKEY_free(key); + reporter->Error("%s", errstr.c_str()); return new Val(0, TYPE_BOOL); %} From 8af810e00b265f92556118a02f402a0746490e83 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sun, 14 May 2017 19:53:22 -0700 Subject: [PATCH 077/147] SCT: Fix script error when mime type of file unknown. --- scripts/base/protocols/ssl/files.bro | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro index b440927381..8750645b36 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.bro @@ -96,6 +96,9 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 if ( |f$conns| != 1 ) return; + if ( ! f?$info || ! f$info?$mime_type ) + return; + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" || f$info$mime_type == "application/pkix-cert" ) ) return; From 0d97e5451d3529790b4586b4fef92b78316c72b2 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 15:09:54 -0700 Subject: [PATCH 078/147] Revert "parse multiple OCSP stapling responses" This reverts commit 07891b3b66fbf86a188325a0eaedc24db9571b13. I suspect this never really was correctly implemented and just breaks all scripts. --- .../protocol/ssl/tls-handshake-analyzer.pac | 9 +++++---- .../protocol/ssl/tls-handshake-protocol.pac | 18 +++--------------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 60d03f3dce..024353432a 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -241,7 +241,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool + function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ ODesc common; common.AddRaw("Analyzer::ANALYZER_SSL"); @@ -249,7 +249,7 @@ refine connection Handshake_Conn += { common.AddRaw("F"); bro_analyzer()->Conn()->IDString(&common); - if ( status_type == 1 || status_type == 2 ) // ocsp + if ( status_type == 1 ) // ocsp { ODesc file_handle; file_handle.Add(common.Description()); @@ -269,6 +269,7 @@ refine connection Handshake_Conn += { file_mgr->EndOfFile(file_id); } + return true; %} @@ -384,8 +385,8 @@ refine typeattr ServerNameExt += &let { proc : bool = $context.connection.proc_server_name(rec, server_names); }; -refine typeattr OCSPResponse += &let { - proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response); +refine typeattr CertificateStatus += &let { + proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); }; refine typeattr EcServerKeyExchange += &let { diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index d06d8ec57b..6a1988111e 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -165,23 +165,11 @@ type Certificate(rec: HandshakeRecord) = record { } &length = to_int()(length)+3; # OCSP Stapling -type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record { - length : uint24; - response : bytestring &length = to_int()(length); -} &length = to_int()(length)+3; - -type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record { - length : uint24; - response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0); -} &length = to_int()(length)+3; type CertificateStatus(rec: HandshakeRecord) = record { - status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined - which_type: case status_type of { - 1 -> ocsp_response : OCSPResponse(rec, status_type); - 2 -> ocsp_response_list : OCSPResponseList(rec, status_type); - default -> data : bytestring &restofdata &transient; # unknown - }; + status_type: uint8; # 1 = ocsp, everything else is undefined + length : uint24; + response: bytestring &restofdata; }; ###################################################################### From 912637658137630230562aaf41b6345f64fe5c74 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 15:12:19 -0700 Subject: [PATCH 079/147] Revert "add parameter 'status_type' to event ssl_stapled_ocsp" This reverts commit 545848d9067c9ce35e8825961ce82943d3c945ff. Revert further part of stapled OCSP response handling that probably never worked. --- scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +--- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 3 +-- testing/btest/core/leaks/x509_ocsp_verify.bro | 2 +- testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +- 5 files changed, 5 insertions(+), 8 deletions(-) diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 8f0da3ef2f..81bbc3c9ea 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -27,7 +27,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3 +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 44e359dde6..755eccded7 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -416,9 +416,7 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len ## is_orig: True if event is raised for originator side of the connection. ## ## response: OCSP data. -## -## status_type: status_type in received OCSP stapled response -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%); +event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 024353432a..e3226551b4 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -264,8 +264,7 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), - (const char*) response.data()), - status_type); + (const char*) response.data())); file_mgr->EndOfFile(file_id); } diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro index 4a4d081e09..ab24f28ee8 100644 --- a/testing/btest/core/leaks/x509_ocsp_verify.bro +++ b/testing/btest/core/leaks/x509_ocsp_verify.bro @@ -9,7 +9,7 @@ @load base/protocols/ssl -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 440b1b2ebf..6424f263f1 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -5,7 +5,7 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) From 9594f695980f2ba451c3ad2cf2c33323ae517ceb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 16:21:47 -0700 Subject: [PATCH 080/147] SSL: Update OCSP/SCT scripts and documentation. --- doc/script-reference/log-files.rst | 4 + scripts/base/files/x509/README | 2 +- scripts/base/files/x509/__load__.bro | 1 - scripts/base/files/x509/main.bro | 11 +- scripts/base/protocols/ssl/README | 2 +- scripts/base/protocols/ssl/main.bro | 11 +- scripts/policy/files/x509/log-ocsp.bro | 52 +++++---- .../policy/protocols/ssl/validate-ocsp.bro | 6 +- scripts/policy/protocols/ssl/validate-sct.bro | 39 +++++-- src/analyzer/protocol/ssl/events.bif | 14 ++- src/file_analysis/analyzer/x509/events.bif | 18 +++- src/file_analysis/analyzer/x509/functions.bif | 60 +++++++++-- .../analyzer/x509/ocsp_events.bif | 102 ++++++++++++++++-- .../btest/Baseline/coverage.find-bro-logs/out | 1 + 14 files changed, 260 insertions(+), 63 deletions(-) diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst index 795b33f6b8..e8550ee41c 100644 --- a/doc/script-reference/log-files.rst +++ b/doc/script-reference/log-files.rst @@ -76,6 +76,10 @@ Files +============================+=======================================+=================================+ | files.log | File analysis results | :bro:type:`Files::Info` | +----------------------------+---------------------------------------+---------------------------------+ +| ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` | +| | (OCSP). Only created if policy script | | +| | is loaded. | | ++----------------------------+---------------------------------------+---------------------------------+ | pe.log | Portable Executable (PE) | :bro:type:`PE::Info` | +----------------------------+---------------------------------------+---------------------------------+ | x509.log | X.509 certificate info | :bro:type:`X509::Info` | diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README index b523eb4fc4..515b0e0b1c 100644 --- a/scripts/base/files/x509/README +++ b/scripts/base/files/x509/README @@ -1,2 +1,2 @@ Support for X509 certificates with the file analysis framework. -Also supposrts OCSP requests and responses. +Also supports parsing OCSP requests and responses. diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro index cff81e7254..a10fe855df 100644 --- a/scripts/base/files/x509/__load__.bro +++ b/scripts/base/files/x509/__load__.bro @@ -1,2 +1 @@ @load ./main -#@load ./ocsp diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index a7d3ca7a04..7cf1c4ab59 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -10,23 +10,17 @@ export { type Info: record { ## Current timestamp. ts: time &log; - ## File id of this certificate. id: string &log; - ## Basic information about the certificate. certificate: X509::Certificate &log; - ## The opaque wrapping the certificate. Mainly used ## for the verify operations. handle: opaque of x509; - ## All extensions that were encountered in the certificate. extensions: vector of X509::Extension &default=vector(); - ## Subject alternative name extension of the certificate. san: X509::SubjectAlternativeName &optional &log; - ## Basic constraints extension of the certificate. basic_constraints: X509::BasicConstraints &optional &log; }; @@ -39,6 +33,11 @@ event bro_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); + # We use mime types internally to distinguish between user and ca certificates. + # The first certificate in a connection always gets tagged as user-cert, all + # following certificates get tagged as CA certificates. Certificates gotten via + # other means (e.g. identified from HTTP traffic when they are transfered in plain + # text) get tagged as application/pkix-cert. Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert"); diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README index 8fa99fd553..1fd0568101 100644 --- a/scripts/base/protocols/ssl/README +++ b/scripts/base/protocols/ssl/README @@ -1 +1 @@ -Support for Secure Sockets Layer (SSL) protocol analysis. +Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis. diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 54ac8548ba..932505c3a8 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -64,7 +64,6 @@ export { ## Flag to indicate if this ssl session has been established ## successfully, or if it was aborted during the handshake. established: bool &log &default=F; - ## Flag to indicate if this record already has been logged, to ## prevent duplicates. logged: bool &default=F; @@ -74,11 +73,18 @@ export { ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; + ## The record type which contains the field for the Certificate + ## Transparency log bundle. type CTInfo: record { + ## Description of the Log description: string; + ## Operator of the Log operator: string; + ## Public key of the Log. key: string; + ## Maximum merge delay of the Log maximum_merge_delay: count; + ## URL of the Log url: string; }; @@ -104,7 +110,8 @@ export { ## record as it is sent on to the logging framework. global log_ssl: event(rec: Info); - # do everything you want to do right before logging here + # Hook that can be used to perform actions right before the log record + # is written. global ssl_finishing: hook(c: connection); } diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro index f9e72dd832..349fa9a372 100644 --- a/scripts/policy/files/x509/log-ocsp.bro +++ b/scripts/policy/files/x509/log-ocsp.bro @@ -1,31 +1,41 @@ -##! Enable basic OCSP logging. - -# This is in policy because probably just about no one is interested -# in logging OCSP responses. +##! Enable logging of OCSP responses. +# +# This script is in policy and not loaded by default because OCSP logging +# does not provide a lot of interesting information in most environments. module OCSP; export { redef enum Log::ID += { LOG }; + ## The record type which contains the fields of the OCSP log. type Info: record { - ## Current timestamp. - ts: time &log; - - ## File id of the ocsp reply. - id: string &log; - - hashAlgorithm: string &log; - issuerNameHash: string &log; - issuerKeyHash: string &log; - serialNumber: string &log; - certStatus: string &log; - revoketime: time &log &optional; - revokereason: string &log &optional; - thisUpdate: time &log; - nextUpdate: time &log &optional; + ## Time when the OCSP reply was encountered. + ts: time &log; + ## File id of the ocsp reply. + id: string &log; + ## Hash algorithm used to generate issuerNameHash and issuerKeyHash. + hashAlgorithm: string &log; + ## Hash of the issuer's distingueshed name. + issuerNameHash: string &log; + ## Hash of the issuer's public key. + issuerKeyHash: string &log; + ## Serial number of the affected certificate. + serialNumber: string &log; + ## Status of the affected certificate. + certStatus: string &log; + ## Time at which the certificate was revoked. + revoketime: time &log &optional; + ## Reason for which the certificate was revoked. + revokereason: string &log &optional; + ## The time at which the status being shows is known to have been correct. + thisUpdate: time &log; + ## The latest time at which new information about the status of the certificate will be available. + nextUpdate: time &log &optional; }; + ## Event that can be handled to access the OCSP record + ## as it is sent to the logging framework. global log_ocsp: event(rec: Info); } @@ -39,14 +49,12 @@ event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHas { local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash, $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus, - $thisUpdate=thisUpdate); + $thisUpdate=thisUpdate); if ( revokereason != "" ) wr$revokereason = revokereason; - if ( time_to_double(revoketime) != 0 ) wr$revoketime = revoketime; - if ( time_to_double(nextUpdate) != 0 ) wr$nextUpdate = nextUpdate; diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 81bbc3c9ea..7cb8be9f0e 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,9 @@ ##! Perform validation of stapled OCSP responses. +#! +#! Note: this _only_ performs validation of stapled OCSP responsed. It does +#! not validate OCSP responses that are retrieved via HTTP, because we do not +#! have a mapping to certificates. + @load base/frameworks/notice @load base/protocols/ssl @@ -15,7 +20,6 @@ export { redef record Info += { ## Result of ocsp validation for this connection. ocsp_status: string &log &optional; - ## ocsp response as string. ocsp_response: string &optional; }; diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index bf7d8745bb..f45a8f7964 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -1,6 +1,5 @@ ##! Perform validation of Signed Certificate Timestamps, as used -##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962 -##! for more details. +##! for Certificate Transparency. See RFC6962 for more details. @load base/protocols/ssl @load protocols/ssl/validate-certs @@ -13,40 +12,63 @@ module SSL; export { + ## List of the different sources for Signed Certificate Timestamp type SctSource: enum { + ## Signed Certificate Timestamp was encountered in the extension of + ## an X.509 certificate. SCT_X509_EXT, + ## Signed Certificate Timestamp was encountered in an TLS session + ## extension. SCT_TLS_EXT, + ## Signed Certificate Timestamp was encountered in the extension of + ## an stapled OCSP reply. SCT_OCSP_EXT }; + ## This record is used to store information about the SCTs that are + ## encountered in a SSL connection. type SctInfo: record { + ## The version of the encountered SCT (should always be 0 for v1). version: count; + ## The ID of the log issuing this SCT. logid: string; + ## The timestamp at which this SCT was issued measured since the + ## epoch (January 1, 1970, 00:00), ignoring leap seconds, in + ## milliseconds. Not converted to a Bro timestamp because we need + ## the exact value for validation. timestamp: count; + ## The signature algorithm used for this sct. sig_alg: count; + ## The hash algorithm used for this sct. hash_alg: count; + ## The signature of this SCT. signature: string; + ## Source of this SCT. source: SctSource; + ## Validation result of this SCT. valid: bool &optional; }; redef record Info += { + ## Number of valid SCTs that were encountered in the connection. valid_scts: count &optional; + ## Number of SCTs that could not be validated that were encountered in the connection. invalid_scts: count &optional; + ## Number of different Logs for which valid SCTs were encountered in the connection. valid_ct_logs: count &log &optional; + ## Number of different Log operators of which valid SCTs were encountered in the connection. valid_ct_operators: count &log &optional; + ## List of operators for which valid SCTs were encountered in the connection. valid_ct_operators_list: set[string] &optional; + ## Information about all SCTs that were encountered in the connection. + ct_proofs: vector of SctInfo &default=vector(); }; - } +# Used to cache validations for 5 minutes to lessen computational load. global recently_validated_scts: table[string] of bool = table() &read_expire=5mins &redef; -redef record SSL::Info += { - ct_proofs: vector of SctInfo &default=vector(); -}; - event bro_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); @@ -134,7 +156,6 @@ hook ssl_finishing(c: connection) &priority=19 # the right issuer cert. # # First - Let's try if a previous round already established the correct issuer key hash. - if ( issuer_key_hash != "" ) { valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); @@ -151,9 +172,9 @@ hook ssl_finishing(c: connection) &priority=19 issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4); valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); } + # ok, if it still did not work - let's just try with all the certs that were sent # in the connection. Perhaps it will work with one of them. - if ( !valid ) for ( i in c$ssl$cert_chain ) { diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 755eccded7..7f0814ee27 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -211,6 +211,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_signed_certificate_timestamp event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is @@ -231,6 +232,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_signed_certificate_timestamp event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); ## Generated for the signed_certificate_timestamp TLS extension as defined in @@ -253,6 +255,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_extension_application_layer_protocol_negotiation +## x509_ocsp_ext_signed_certificate_timestamp sct_verify event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated for an TLS Supported Versions extension. This TLS extension @@ -271,7 +281,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ssl_extension_server_name -## ssl_extension_psk_key_exchange_modes +## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined @@ -288,7 +298,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share ssl_extension_server_name -## ssl_extension_supported_versions +## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 206555e9dd..68afe5340a 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -13,7 +13,7 @@ ## ## .. bro:see:: x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%); ## Generated for X509 extensions seen in a certificate. @@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif ## ## .. bro:see:: x509_certificate x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_extension%(f: fa_file, ext: X509::Extension%); ## Generated for the X509 basic constraints extension seen in a certificate. @@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%); ## ## .. bro:see:: x509_certificate x509_extension ## x509_ext_subject_alternative_name x509_parse x509_verify -## x509_get_certificate_string +## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## Generated for the X509 subject alternative name extension seen in a certificate. @@ -52,13 +52,14 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## ext: The parsed subject alternative name extension. ## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints -## x509_parse x509_verify +## x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); ## Generated for the signed_certificate_timestamp X509 extension as defined in ## :rfc:`6962`. The extension is used to transmit signed proofs that are -## used for Certificate Transparency. +## used for Certificate Transparency. Raised when the extension is encountered +## in an X.509 certificate or in an OCSP reply. ## ## f: The file. ## @@ -74,4 +75,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct +## +## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints +## x509_parse x509_verify x509_ext_subject_alternative_name +## x509_get_certificate_string ssl_extension_signed_certificate_timestamp +## sct_verify ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate +## x509_ocsp_ext_signed_certificate_timestamp event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 8212835e2e..e3fcb0ce11 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -140,6 +140,8 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid) return 0; } +// Convert hash algorithm registry numbers to the OpenSSL EVP_MD. +// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 const EVP_MD* hash_to_evp(int hash) { switch ( hash ) @@ -483,7 +485,7 @@ x509_ocsp_cleanup: ## ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse -## x509_get_certificate_string x509_ocsp_verify +## x509_get_certificate_string x509_ocsp_verify sct_verify function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result %{ X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal()); @@ -571,6 +573,28 @@ x509_verify_chainerror: return rrecord; %} +## Verifies a Signed Certificate Timestamp as used for Certificate Transparency. +## See RFC6962 for more details. +## +## cert: Certificate against which the SCT should be validated. +## +## logid: Log id of the SCT. +## +## log_key: Public key of the Log that issued the SCT proof. +## +## timestamp: Timestamp at which the proof was generated. +## +## hash_algorithm: Hash algorithm that was used for the SCT proof. +## +## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key. +## This only has to be provided if the SCT was encountered in an X.509 +## certificate extension; in that case, it is necessary for validation. +## +## Returns: T if the validation could be performed succesfully, F otherwhise. +## +## .. bro:see:: ssl_extension_signed_certificate_timestamp +## x509_ocsp_ext_signed_certificate_timestamp +## x509_verify function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool %{ assert(cert); @@ -789,6 +813,17 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha } %%} +## Get the hash of the subject's distinguished name. +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 +## +## Returns: The hash as a string. +## +## .. bro:see:: x509_issuer_name_hash x509_spki_hash +## x509_verify sct_verify function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; @@ -796,17 +831,17 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string return x509_entity_hash(cert_handle, hash_alg, 0); %} -## Get the hash of issuer name of a certificate +## Get the hash of the issuer's distinguished name. ## ## cert: The X509 certificate opaque handle. ## -## hash_alg: the hash algorithm to use +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 ## -## Returns: A string of hash of issuer name. +## Returns: The hash as a string. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints -## x509_ext_subject_alternative_name x509_parse -## x509_get_certificate_string x509_verify +## .. bro:see:: x509_subject_name_hash x509_spki_hash +## x509_verify sct_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; @@ -814,6 +849,17 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string return x509_entity_hash(cert_handle, hash_alg, 1); %} +## Get the hash of the Subject Public Key Information of the certificate. +## +## cert: The X509 certificate opaque handle. +## +## hash_alg: the hash algorithm to use, according to the IANA mapping at +## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 +## +## Returns: The hash as a string. +## +## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash +## x509_verify sct_verify function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string %{ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 76208c210e..1c236bf177 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -1,6 +1,8 @@ ## Event that is raised when encountering an OCSP request, e.g. in an HTTP ## connection. See :rfc:`6960` for more details. ## +## This event is raised exactly once for each OCSP Request. +## ## f: The file. ## ## req: version: the version of the OCSP request. Typically 0 (Version 1). @@ -8,23 +10,111 @@ ## requestorName: name of the OCSP requestor. This attribute is optional; if ## it is not set, an empty string is returned here. ## +## .. bro:see:: ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request%(f: fa_file, version: count, requestorName: string%); +## Event that is raised when encountering an OCSP request for a certificate, +## e.g. in an HTTP connection. See :rfc:`6960` for more details. +## +## Note that a single OCSP request can contain requests for several certificates. +## Thus this event can fire several times for one OCSP request, each time +## requesting information for a different (or in theory even the same) certificate. +## +## f: The file. +## +## hashAlgorithm: The hash algorithm used for the issuerKeyHash. +## +## issuerKeyHash: Hash of the issuers public key. +## +## serialNumber: Serial number of the certificate for which the status is requested. +## +## .. bro:see:: ocsp_request ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); -## Generated for encountered OCSP response +## This event is raised when encountering an OCSP reply, e.g. in an HTTP +## connection or a TLS extension. See :rfc:`6960` for more details. +## +## This event is raised exactly once for each OCSP reply. +## +## f: The file. +## +## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). +## +## .. bro:see:: ocsp_request ocsp_request_certificate +## ocsp_response_bytes ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp +event ocsp_response_status%(f: fa_file, status: string%); + +## This event is raised when encountering an OCSP response that contains response information. +## An OCSP reply can be encountered, for example, in an HTTP connection or +## a TLS extension. See :rfc:`6960` for more details on OCSP. ## ## f: The file. ## ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the -## OCSP response +## OCSP response. ## -## req: The parsed OCSP response information. +## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). ## -event ocsp_response_status%(f: fa_file, status: string%); - +## version: Version of the OCSP response (typically - for version 1). +## +## responderId: The id of the OCSP responder; either a public key hash or a distinguished name. +## +## producedAt: Time at which the reply was produced. +## +## signatureAlgorithm: Algorithm used for the OCSP signature. +## +## certs: Optional list of certificates that are sent with the OCSP response; these typically +## are needed to perform validation of the reply. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_certificate ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); -event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%); +## This event is raised for each SingleResponse contained in an OCSP response. +## See :rfc:`6960` for more details on OCSP. +## +## f: The file. +## +## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash. +## +## issuerNameHash: Hash of the issuer's distinguished name. +## +## issuerKeyHash: Hash of the issuer's public key. +## +## serialNumber: Serial number of the affected certificate. +## +## certStatus: Status of the certificate. +## +## revokeTime: Time the certificate was revoked, 0 if not revoked. +## +## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified. +## +## thisUpdate: Time this response was generated. +## +## nextUpdate: Time next response will be ready; 0 if not supploed. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_extension +## x509_ocsp_ext_signed_certificate_timestamp +event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%); +## This event is raised when an OCSP extension is encountered in an OCSP response. +## See :rfc:`6960` for more details on OCSP. +## +## f: The file. +## +## ext: The parsed extension (same format as X.509 extensions). +## +## global_resp: T if extension encountered in the global response (in ResponseData), +## F when encountered in a SingleResponse. +## +## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## ocsp_response_bytes ocsp_response_certificate +## x509_ocsp_ext_signed_certificate_timestamp event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index 9ff209d2e6..09a08914fe 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -30,6 +30,7 @@ netcontrol_shunt notice notice_alarm ntlm +ocsp open_flow packet_filter pe From 5acbccf44417b82e9692118238e2763d5874cd44 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Jul 2017 17:07:22 -0700 Subject: [PATCH 081/147] Update CT Log list --- scripts/base/protocols/ssl/ct-list.bro | 66 ++++++++++++++++---------- 1 file changed, 40 insertions(+), 26 deletions(-) diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro index 600b644df2..d48f58877c 100644 --- a/scripts/base/protocols/ssl/ct-list.bro +++ b/scripts/base/protocols/ssl/ct-list.bro @@ -1,34 +1,48 @@ # # Do not edit this file. This file is automatically generated by gen-ct-list.pl -# File generated at Thu Mar 16 13:41:00 2017 -# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1 +# File generated at Thu Jul 27 16:59:25 2017 +# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json # @load base/protocols/ssl module SSL; redef ct_logs += { -["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), -["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), -["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), -["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), -["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), -["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), -["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), -["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), -["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), -["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), -["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), -["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), -["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), -["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), -["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), -["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), -["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), -["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), -["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), -["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), -["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), -["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), -["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), -["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"), +["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"), +["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"), +["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"), +["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"), +["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"), +["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"), +["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"), +["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"), +["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"), +["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"), +["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"), +["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"), +["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"), +["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"), +["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"), +["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"), +["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"), +["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"), +["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"), +["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"), +["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"), +["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"), +["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"), +["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"), +["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"), +["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"), +["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"), +["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"), +["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"), +["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"), +["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"), +["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"), +["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"), +["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"), +["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"), +["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"), +["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"), }; From db15773c09ac90415057c0fd66dd3339e799b585 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 28 Jul 2017 09:21:35 -0700 Subject: [PATCH 082/147] Tiny script changes for SSL. log-hostcerts-only relied on old event ordering; the identifier key of validate-certs is now shorter (no function change, just potentially a tiny bit faster). --- .../protocols/ssl/log-hostcerts-only.bro | 23 +++++++++++++++---- .../policy/protocols/ssl/validate-certs.bro | 2 +- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro index f537616e7f..0eb7da29b3 100644 --- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro +++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro @@ -8,7 +8,7 @@ module X509; export { redef record Info += { - # Logging is suppressed if field is set to F + ## Logging of certificate is suppressed if set to F logcert: bool &default=T; }; } @@ -39,14 +39,29 @@ event bro_init() &priority=2 Log::add_filter(X509::LOG, f); } -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2 +event file_sniff(f: fa_file, meta: fa_metadata) &priority=4 { - if ( ! c?$ssl ) + if ( |f$conns| != 1 ) return; + if ( ! f?$info || ! f$info?$mime_type ) + return; + + if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert" + || f$info$mime_type == "application/pkix-cert" ) ) + return; + + for ( cid in f$conns ) + { + if ( ! f$conns[cid]?$ssl ) + return; + + local c = f$conns[cid]; + } + local chain: vector of string; - if ( is_orig ) + if ( f$is_orig ) chain = c$ssl$client_cert_chain_fuids; else chain = c$ssl$cert_chain_fuids; diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index c2f4e569a2..352ff4e863 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -189,6 +189,6 @@ hook ssl_finishing(c: connection) &priority=20 local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c, - $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); + $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]); } } From 7242aada0c3f25ac2e24f2289a9d3e4b1b4cbfab Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 1 Aug 2017 15:54:26 -0500 Subject: [PATCH 083/147] Update install instructions for Fedora 26 --- doc/install/install.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/install/install.rst b/doc/install/install.rst index e7ff45b4fe..4c43ee9c73 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -54,6 +54,9 @@ To install the required dependencies, you can use: sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel + In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead + of ``openssl-devel``. + * DEB/Debian-based Linux: .. console:: From d5678418da92f9efd59c36189bd67b9349adc8e0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 1 Aug 2017 16:29:16 -0700 Subject: [PATCH 084/147] SSL SCT/OCSP: small fixes by robin; mostly update comments. SetMime now only works on the first call (as it was documented) and unused code was used from one of the x.509 functions. --- src/file_analysis/File.cc | 2 +- src/file_analysis/File.h | 6 ++++-- src/file_analysis/Manager.cc | 6 ++++++ src/file_analysis/Manager.h | 3 ++- src/file_analysis/analyzer/x509/OCSP.cc | 3 +++ src/file_analysis/analyzer/x509/X509.cc | 5 ++++- src/file_analysis/analyzer/x509/functions.bif | 9 +++------ 7 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 2d9017a338..46624e23c0 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -294,7 +294,7 @@ void File::SetReassemblyBuffer(uint64 max) bool File::SetMime(const string& mime_type) { - if ( mime_type.empty() || bof_buffer.size != 0 ) + if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference ) return false; did_metadata_inference = true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index c52d9efbc4..1d4fb03789 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -176,8 +176,10 @@ public: * Sets the MIME type for a file to a specific value. * * Setting the MIME type has to be done before the MIME type is - * inferred from the content. After a MIME type has been set once, - * it cannot be changed anymore. + * inferred from the content, and before any data is passed to the + * analyzer (the beginning of file buffer has to be empty). After + * data has been sent or a MIME type has been set once, it cannot be + * changed. * * This function should only be called when it does not make sense * to perform automated MIME type detections. This is e.g. the case diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 3140a1e9db..1659230bff 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -118,6 +118,12 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, if ( ! file ) return ""; + // This only has any effect when + // * called for the first time for a file + // * being called before file->DataIn is called for the first time (before data is + // added to the bof buffer). + // Afterwards SetMime just ignores what is passed to it. Thus this only has effect during + // the first Manager::DataIn call for each file. if ( ! mime_type.empty() ) file->SetMime(mime_type); diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d4ab6c8dfc..ce39b8144c 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -98,7 +98,8 @@ public: * certificates are passed as files; here the type of the file is set by * the protocol. If this parameter is give, mime type detection will be * disabled. - * This parameter is only used for the first bit of data for each file. + * This parameter only has any effect for the first DataIn call of each + * file. It is ignored for all subsequent calls. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 6ce51f9dd3..3770b5692c 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -344,6 +344,9 @@ clean_up: void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_cert_scts if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts ) #else diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index b26bd4a1da..2999007146 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -240,7 +240,10 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); -#ifdef NID_ct_cert_scts +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. +#ifdef NID_ct_precert_scts else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e3fcb0ce11..a4901b31e5 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -624,6 +624,9 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa { x = X509_dup(x); assert(x); +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_precert_scts int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); if ( pos < 0 ) @@ -778,12 +781,6 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha int res = 0; - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509); - if ( key == 0 ) - { - printf("No key in X509_get0_pubkey_bitstr\n"); - } - if ( type == 0 ) res = X509_NAME_digest(subject_name, dgst, md, &len); else if ( type == 1 ) From 6ba710fbf79475b46b8c19a45d6986080018a0ce Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Aug 2017 15:04:13 -0700 Subject: [PATCH 085/147] Updating CHANGES, NEWS, and VERSION. --- CHANGES | 42 ++++++++++++++++++++++++++++++++++++++++++ NEWS | 26 ++++++++++++++++++++++++++ VERSION | 2 +- 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 731643588a..86c4162f08 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,46 @@ +2.5-288 | 2017-08-04 14:17:10 -0700 + + * Fix field not being populated, which resulted in a reporter + messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall) + + * Support for OCSP and Signed Certificate Timestamp. (Liang + Zhu/Johanna Amann) + + - OCSP parsing is added to the X.509 module. + + - Signed Certificate Timestamp extraction, parsing, & validation + is added to the SSL, X.509, and OCSP analyzers. Validation is + added to the X.509 BIFs. + + This adds the following events and BIFs: + + - event ocsp_request(f: fa_file, version: count, requestorName: string); + - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string); + - event ocsp_response_status(f: fa_file, status: string); + - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector); + - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time); + - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool); + - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string); + - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string); + - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool + - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string + - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string + - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string + + This also changes the MIME types that we use to identify X.509 + certificates in SSL connections from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + + * The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. (Johanna + Amann) + + * Add an internal API for protocol analyzers to provide the MIME + type of file data directly, disabling automatic inferrence. + (Johanna Amann). + 2.5-186 | 2017-07-28 12:22:20 -0700 * Improved handling of '%' at end of line in HTTP analyzer. (Johanna diff --git a/NEWS b/NEWS index a884f4fe5a..6d35a8978b 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,32 @@ their own ``CHANGES``.) Bro 2.6 (in progress) ===================== +New Functionality +----------------- + +- Support for OCSP and Signed Certificate Timestamp. This adds the + following events and BIFs: + + - Events: ocsp_request, ocsp_request_certificate, + ocsp_response_status, ocsp_response_bytes + ocsp_response_certificate ocsp_extension + x509_ocsp_ext_signed_certificate_timestamp + ssl_extension_signed_certificate_timestamp + + - Functions: sct_verify, x509_subject_name_hash, + x509_issuer_name_hash x509_spki_hash + +- The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. + +Changed Functionality +--------------------- + +- The MIME types used to identify X.509 certificates in SSL + connections changed from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index aa91067d4a..4c6456e664 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-186 +2.5-288 From c251245538169c0e1053065e59c60e6bc4d995d4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 7 Aug 2017 16:10:46 -0500 Subject: [PATCH 086/147] Fix a netcontrol test that often fails The catch-and-release.bro test was failing whenever three conditions were all true: sorting the netcontrol.log before comparing to the baseline, the presence of LC_ALL=C in btest.cfg changes the sort order, and sometimes the timestamp increases slightly beginning with one of the rule_id == 5 lines. As a result of these three conditions, the sorted order of the lines with rule_id of 5 were different than the baseline. Fixed by not sorting netcontrol.log, as this doesn't seem necessary. --- .../scripts/base/frameworks/netcontrol/catch-and-release.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro index c48b3b3551..29c56c2535 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log # @TEST-EXEC: btest-diff netcontrol_catch_release.log @load base/frameworks/netcontrol From 712780079191d0decf83a8e8c268e8da34d7248d Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 10 Aug 2017 12:47:14 -0500 Subject: [PATCH 087/147] Fix the expire-redef.bro test The expire-redef.bro test was sometimes failing due to the second "Run" message being printed after (should happen before) the "Expired" message. Fixed by increasing the time interval between events. Also reduced the number of events raised to make the test finish more quickly. --- testing/btest/Baseline/language.expire-redef/output | 2 -- testing/btest/language/expire-redef.bro | 10 +++++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output index d5a745e7f3..42bb1b485c 100644 --- a/testing/btest/Baseline/language.expire-redef/output +++ b/testing/btest/Baseline/language.expire-redef/output @@ -1,5 +1,3 @@ -Run 0 Run 1 Expired: 0 --> some data Run 2 -Run 3 diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro index 6bf43ae98a..5cbb00f313 100644 --- a/testing/btest/language/expire-redef.bro +++ b/testing/btest/language/expire-redef.bro @@ -9,16 +9,16 @@ global expired: function(tbl: table[int] of string, idx: int): interval; global data: table[int] of string &write_expire=exp_val &expire_func=expired; redef table_expire_interval = 1sec; -redef exp_val = 5sec; +redef exp_val = 6sec; global runs = 0; event do_it() { + ++runs; print fmt("Run %s", runs); - ++runs; - if ( runs < 4 ) - schedule 2sec { do_it() }; + if ( runs < 2 ) + schedule 4sec { do_it() }; else terminate(); } @@ -33,5 +33,5 @@ function expired(tbl: table[int] of string, idx: int): interval event bro_init() &priority=-10 { data[0] = "some data"; - schedule 2sec { do_it() }; + schedule 4sec { do_it() }; } From fcd735cecd05899cb1115e23ca7718952e5e860b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 11 Aug 2017 13:51:49 -0500 Subject: [PATCH 088/147] Fix core.truncation unit test on macOS. The pcap file format has a global header and a header per packet. The global header of the pcap in question had a snaplen of 1, but with packet headers indicating the full number of bytes saved within the file. It seems like the pcap file must of been artifically edited in order for it to be this way. When reporting the captured length of a packet, Apple's version of libpcap now seems to report the full number of bytes saved within the pcap's per-packet headers, but other versions seem to report the snaplen from the global pcap header. This caused the core.truncation test to behave differently on macOS from other platforms. I've manually hexedit'd the pcap so that the snaplen is still 1, but contains just a single packet with a pcap header indicating a length of 8, which is less than the size of the link layer header and so should still test the original code path that the unit test intended to exercise. --- CHANGES | 8 ++++++++ VERSION | 2 +- testing/btest/Traces/trunc/trunc-hdr.pcap | Bin 6435 -> 49 bytes 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 86c4162f08..a1b2729cf4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.5-294 | 2017-08-11 13:51:49 -0500 + + * Fix core.truncation unit test on macOS. (Jon Siwek) + + * Fix a netcontrol test that often fails (Daniel Thayer) + + * Update install instructions for Fedora 26 (Daniel Thayer) + 2.5-288 | 2017-08-04 14:17:10 -0700 * Fix field not being populated, which resulted in a reporter diff --git a/VERSION b/VERSION index 4c6456e664..303202a260 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-288 +2.5-294 diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap index 0ab12ee6c78e1c88093333c6638359514c28c750..689128f2bb5db52f0b06d74f641fa534b5bb3530 100644 GIT binary patch delta 23 dcmZ2%WH>=Vkb{AN!4HTT)H~nRMi@{U&?H0Uy`HkP}%lL>0@cYW|9t?Gi zUm`?RccEAScBX)@XAngLiU6CFQ4o0@_3xo%3Q%YkAaET33U~y(fPX*5BlVZM8a`f= z91!!2)tX~_89CtX>tLL`HuuPX%;=>m3Q&%0o*Yk{r_PfGroaSbfOMWTj|dDw3Qv|N z%2Vb|2MU17ljPxnIFHH`j)NSz0trCC0|W=efdK@O0+K)pu8{!^ZWf266#3gl;E(bUga|>X z&>nCQKpIdWmnFr-?0f*NuQuf?UqXx;PV6Hz5Yw|jBb+O zna7s<@4$o(RXONF0q;e%lvaxb<0 zWcJ)Ur_^nllL2kSq=nTU9BMCXl|4XR$qnX{LRkXs*g_jzghz&I6?2s8R*ID^(FnYA zdL(%3>!lV49#^`Bkp_L6-pYgko(urfMiD517vf`r69_KBl;|CXg;o=@Ase zn`jOz#E<1i_wWf0^z-2ahKA7HSm9BuaJrQxIzv$s{%3%iqWs|vUyV=$29v?W-n~&S zBEe8Wr(?L%WI31cz$hOMi|!mA;1d!U%LijnQ5j;N4hbP3T;o~r+6npgk{DZ@2MJ(OXxm$E2T@+{s? zzmJ?9Ivu?CtQ~RBV)=Dx|AgMJ9_)7rQGLC2M(!<{UUOH5@)r-I->ZWT;EG(;cHXpg z4AeXoSKFX(WWSv4EH#+(?8=?j`)k^+47;okS~cRo@b;}O3dLL#86bUarJpBf$(s@U zn(}RORoVUioPuh?Z5IzwDe)4c3yGk;JBxR@aIzS~%$1ki%TuVw8)s zLsg;hR5S=QR3TArew#~aM{&jLw~p(?S#4_VA3k(Qqbk@2DS`q)jthd_zN^ zv2w_p4%Ch_dSWN8ekC^3O1i?OoF%&j`4VA)(N+ZZ9fq=&miv>*lLQp{ENTSeA zi9``R^7RQ9|MM}2&Eae`)7SS651u=Y+0YI85o{l(9xF;O0^TsoaJ>M=9JmKHC}tL; zY2*GH9Zdw^4nE;8*4MulVJy=L=J0YFlf>4g*&}Hq!8in+jcN-y#UTpH7%vf!8NNT@ zj6=0@aYK{RN5+naAcS}{7M&^l6-Cl$W5)>fjo3Kh7^v&lT_S0=!o&Jto+e_#Mt$Mc z!CZ~d(|mI@0zYGA35CGnUsM$;rU4uZCb>O47xVJ6y5qh4x8SclWy~5|=_`xt5JrsP ze_)b=02|er=l+&^zIoP_pwFDyp?A9Ko;(~`NSYPz#A5ai`%#v*7C$|y(NK#jSA!3k zE%+0OcXY0*A2e(T^6gOB)8khZDY9*eyIB7h^#!MBgr}%@(Kcr* zZcJ^TSya63o_kYI{vQv)FF~`D9ktgyIH^p2iep=6>_cZ5cFzCp)NhQ8H@z<=hq&Vx z0@wHN<7PI3#K;@koEhA5MIIk>metgS_cV8>d2q!+{87}SD%3+!9{MhywLL*9$&=K922XUP!YIVgkN8mt^OQnIIUyEp>nlrh zbD=DJhhDTtt1mT%g+*pWycIx*Z`b`;dQB!G3Xo*74mAf0(`^ zS5|`bHv!sdsaZRGI~%GjOnTbhy(}ft&dy)Zl&{EqNz3~5hJ4gdE%kR1ib17ohK?%x zKxqwrc^Zk!u-DbH4uf^TV99s|dkb82t z>FZDS-u3IqbAK^%YMM*%@&=i~5ywHwxdf@9I~R5+Y?XDt$MZ3GJ^WDbWn=m;Y1{9q zJ*{*iZ+&R0sn|7qH#hYjL2Y9}Xz1vwdXpzMzk96E-l8mNx#D=;S*>$bPe0A>SJQ}` zR-tzw%`ofWrkaR~d%1c~-;xVnUt0R>7DZlIq3)wMA1T^ObI061;s67o4JwOyEB^IH zMqyToIo#zVLWhf_{foneS;rHyL-pMGjFMpTtxjV?khiWd~mOEVKXtMFi901#wH zUpFG+lk=NWjPW;_HO>2zraA6fYHqtf^`GRDkA+!>Z%D2=GyfJLI$KUIj(PAZ zIJ&B_=8*e#Zx8kn^^NnA!tNK8*_aPK8!lPabv5qS7olWM-`P%*=;Mp&k})nja}LnV zcVdx19!7!$ykL%%fy^HaQ>+BViaC5(OCweXNVrX`1ClcN5rPKZjp_m5rS-;8n|eZX z%boYJFjGgm6@b(On7-VFM%*TjfMPCk13osB!~|IZ3gadh`43#GL6ZtgVAAqE?b4)~ zFp))#=Ax*Hp#hdSN1$P-11e@q)RDr&x&jd79EQ$k(k@1k@|qr5=&{Yi)<1ooHXh9a z2s5OqRYD?|LZMh@Y{?iMS3f|rLBQ=I%HGVti0L*sxeSZc{;u6i<(dQT62=v{UrW;s zQM#{78>^3su(M-Dy3bZCZTP%{x^Tg@FOM#rGZF2Z{Yqwpdv6x+=1%YFrexKqdF-1m z39VO4XsI&>0v;at@L<38mLX}^8+%g*$S+ObzCG3{6@9VnpPmy63i5GAg@ax3FSq2+ zJ+*2m_nxO!`bxXNBLRJH88Z5hQT}Vyub4w&Xzw9{JpGMC)x8mJtH0I>G1G|;$j%I1{IzPu|+CYcqObPeZTzNf? zQ@OcnMMQjEoPtxH!JS-Lr^`=A2Atpdp7pM85=*_A@HqEm$MJ&+Vejs~vcBjVLg!TM zGO;}`n*J($*6$jrcEOE@Hh%uS$05q?*=b(a+8{@9XPG?bqMKHr>`BwY0F$M5Lv}A; zi|?T2G|xXb=jFLr^Q-gM^i1sD5$uh1l8m9|Ii%pxzB4}A-|N=n*~87PtK zjEZ8eEb5NcTbaUi*q75EbeZK=e?;3F^eHBLuKAZb*v|G=&4tGSbn32*Itc}nrH{l~ zVv4Yi1wm@80$&Vorjqcg1;JBU;4fv;PhWxi&<~Yuop_DZOLK z{epyByC_Z{BfPZFyWKEbtt?tloo)VEtn4;^G^}}*$qVb>=(iON)ZX=XnV=EShx*s*}u7&dRQ{O*MtFj<;~0U!rUPHawYl_8{-Cd?N~o(Do_ zsK)P=rL;ZJ3=ejJ&hUJ--~h+rL5{-ASr-)lQNB`tQzYeH`ohphhHD7h?#El_*3_n) zNl=e*oWCdEX*bUALs4wSJi@0hNl2&Sv5SY(%?^zodoE(fx(a&b3(Zzt4BO{H&&fJ| zLm{zX!L8f>jf3OMih}$7J*>FV{`}b`t%bR7@5D+RwKwg5P+NNYL(CzA>&cru+Whxe zfJHl|v+ss)>v=n%ZS=S1$E~_6v&D2%Ru|{s;%~R_ZYtikx+h|vP*56RrdFZ)HHz2f zH(hVmQ&njm*Ou=LH9)eqTvOB;&i?WEvc|neDpGvF50haIl%de7iBl}8&;r^3yZ~6M zQDBc)Gc!E6uPn6++T)-w#idmcfjcxJY)-KxI|k=_mNbR}Es0$YfFl0hgn@u*F@L$Z z*R8t+_O-nWdsG1$U_-6}!cW#TIQi-drfDfTp`ry%(bOu)={8K!mx3^S1SIi>G*50` zY<`4iJ-3&5iDGPS6p+Ncxx3u|M90<(ylZ7a_xxT-ghUUxcSqw)Zb;ZW-r!tisBH=&rBjz|^x?wOr+&C2@2@gE!4scoq)4v+{U^ z0!}|#w^OF!z1JhD*4__)4}B>eKIi5bfDwp+1je-;u~uQ0Fhu~`EzNuac@u?|=E^4^ z1Ku^1VLHSHhSd$Rgyu0tvD&9+Pgbl2W*%4tWDL#Yz0f?Kb`hTc7)9E4G78_wFcepa z^0kiY`zbHa2F6fICYb8asiIce8*4}q)C%i%D=1psBu?I l1ygB_)g+a=VM=s?&P`$!_Jj=#OZjJ5+FCRCSd0E0>wgL>%KZQU From 823fba1713d9dc95717b3e942953152d8044fbff Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 25 Aug 2017 15:39:12 -0500 Subject: [PATCH 089/147] Fix ascii writer to not discard a ".gz" file extension When Bro writes a compressed log, it uses a file extension of ".gz". However, upon log rotation the ascii writer script function "default_rotation_postprocessor_func" was discarding the ".gz" file extension. Fixed so that the correct file extension is preserved after rotation. --- scripts/base/frameworks/logging/writers/ascii.bro | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro index bbf11c26e7..6f2b03aafd 100644 --- a/scripts/base/frameworks/logging/writers/ascii.bro +++ b/scripts/base/frameworks/logging/writers/ascii.bro @@ -79,9 +79,12 @@ export { # runs the writer's default postprocessor command on it. function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool { + # If the filename has a ".gz" extension, then keep it. + local gz = info$fname[-3:] == ".gz" ? ".gz" : ""; + # Move file to name including both opening and closing time. - local dst = fmt("%s.%s.log", info$path, - strftime(Log::default_rotation_date_format, info$open)); + local dst = fmt("%s.%s.log%s", info$path, + strftime(Log::default_rotation_date_format, info$open), gz); system(fmt("/bin/mv %s %s", info$fname, dst)); From 8741d6323a0ba0c30a2837223bc9650bdcad4505 Mon Sep 17 00:00:00 2001 From: Alan Date: Mon, 28 Aug 2017 14:20:37 -0500 Subject: [PATCH 090/147] Fixed typo --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a1b2729cf4..d6f7125f33 100644 --- a/CHANGES +++ b/CHANGES @@ -850,7 +850,7 @@ 2.4-683 | 2016-07-08 14:55:04 -0700 - * Extendign connection history field to flag with '^' when Bro flips + * Extending connection history field to flag with '^' when Bro flips a connection's endpoints. Addresses BIT-1629. (Robin Sommer) 2.4-680 | 2016-07-06 09:18:21 -0700 From 1ede6bf7fe4df38b694959bf7bfd80715e3b6cd0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Sat, 9 Sep 2017 22:25:49 -0700 Subject: [PATCH 091/147] Add TLS 1.3 fix and testcase. It turns out that Chrome supports an experimental mode to support TLS 1.3, which uses a non-standard way to negotiate TLS 1.3 with a server. This non-standard way to negotiate TLS 1.3 breaks the current draft RFC and re-uses an extension on the server-side with a different binary formatting, causing us to throw a binpac exception. This patch ignores the extension when sent by the server, continuing to correctly parse the server_hello reply (as far as possible). From what I can tell this seems to be google working around the fact that MITM equipment cannot deal with TLS 1.3 server hellos; this change makes the fact that TLS 1.3 is used completely opaque unless one looks into a few extensions. We currently log this as TLS 1.2. --- .../protocol/ssl/tls-handshake-protocol.pac | 7 ++++++- .../.stdout | 1 + .../ssl.log | 10 ++++++++++ ...hrome-63.0.3211.0-canary-tls_experiment.pcap | Bin 0 -> 5317 bytes .../base/protocols/ssl/tls13-experiment.test | 16 ++++++++++++++++ 5 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log create mode 100644 testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/tls13-experiment.test diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 6a1988111e..febfce68b9 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -487,7 +487,7 @@ type SSLExtension(rec: HandshakeRecord) = record { EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); - EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0); + EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0); EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; @@ -495,6 +495,11 @@ type SSLExtension(rec: HandshakeRecord) = record { %include tls-handshake-signed_certificate_timestamp.pac +type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of { + true -> a: SupportedVersions(rec); + false -> b: bytestring &length=data_len &transient; +} + type SupportedVersions(rec: HandshakeRecord) = record { length: uint8; versions: uint16[] &until($input.length() == 0); diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout new file mode 100644 index 0000000000..0b7bcb5742 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout @@ -0,0 +1 @@ +7e01 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log new file mode 100644 index 0000000000..c88237dd18 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-09-10-05-23-15 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1505019126.007778 CHhAvVGS1DHFjwGM9 192.168.0.2 62873 104.196.219.53 443 TLSv12 TLS_AES_128_GCM_SHA256 x25519 tls.ctf.network T - - T - - - - - - +#close 2017-09-10-05-23-16 diff --git a/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap b/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2b8040b10907ac1de7dc37ddab9c21bb8cbd7595 GIT binary patch literal 5317 zcmdUzcUTkMwudJPB~)nvM0)QXLg*j@QX)l^&_sGuiXb2;Afli^01*h%5g{~DdJ#gA zqJW}QK@m}USER$4=)K?f=y&cpf8UvB<(bLOe%G44e|u%G8Ek)+3k67kzYh`s0^V$P zRAC5|v;Z2sCfXoL-!@NgkW6c*MjISB1pu1uq?&*x*%ews5dd}T7+2WDK^jL*@mGkX z3h2?1StS5KNl2?8Fc>KW0;iN+l*=Kukw5|92S`6)2LJ=`o@l?gzkGmnZa@`u0LYVR zZ4=2v50J)9TnuSBGw8uThv72tSnnr2mIMl?v<+-nC(=Pr@PS4{Y$t)iNk|~1 zFgPhG1WrZKRV-8ncGR%u{nf0_+3>BLyh`O(OAOECgsH1%BF}MA9k*H<2i0|9=tH?0zSLLItjYlD`Ur z6^l)ry#ZkY-9sQO;HMzRf}ObMqw{v(Z7`3h zbbPbY?-MOjvNn`QFNHLwa!0=2#I3@T~N($V(w(fhC?`WmdbFq3FD;2w!lg@A2 z`HGv)A25D0X)2*6A;%DAKD8)I54u~?T*?xmP(_PwZZNOpRIqeC8_>M@K$+nEYX_c69cA6@X;;*tzX{wgjbSEuN` zMJj#& zrErO|)wzT~CuHVuzPYI2iR!P`_~;t;op0&7M~$l3)1K1z4Fk6c&8KB=nFr@k*clFB z5BnU;#wN=l+`Gqv+UL$N`S{6IS8;kDLYGyV|Cax*uOb>_=}1Jv9tH z^(DMk$&uTjFSA?&*XkY?X~yz0k*c&Man>!!==iOnlTm>TnP^gbz0+tj${_M@vR-bt zU%|8k>+>pecRIunaE;;BbBqISy_0TXDQL@5a@EP^Bqg@E`zPiaLe@=lDFdy#W@V%K zs+XN39+{>%(d@>##~cQ=*q@+No7BC|HTxj`Q}b+~TX!V?dfPb&wN;Uoy|Ka}Z34;c@#1EC-dRB2Tq+CNiWjtFZn! z908i3qdQa?3tnwf+Ra=w&lNlw=nD;)XY9|7cu-i3hz9l*lhM)rc(N8O?fnXaE&J9I z`!OoH;?*Y2i2LO85REJh$8;%LG4T`X>S+3p&BSjPUiWZVBv@9Z=5qWk@A=^GQ3NhzxkfhT zQMyrQ%%ZlN!>_ZJk;q23mt9ne0r17vDFKr43oJ6Xj5Izljyc; z1?E2M^O^ZtyOoH!4g^l>xg@*X`@l*9cZDW*RMB$F(`)!a`^Q0k*#0ZWu{+aGsPM3r%*s^1bU@7L?eYIHqx1aC=ofy^=#{De`yatn{(DC67cYj;J{)-5 z_CU_qoDDKDzw7`rn4I$Tt1Py=7upsaZyuMfdcz9(jf8^)#u3tfGN`dEIf~qQNdwP) zdwJ;Hr_Q`Gwf?=Y4h^aM;Wr}5*RIE0IIR}!N4+Gxd^3Wc!A(WM(;+x{JfS<;{H)kD z2^hw#cZ4u>wM!zEg7cXki)?5kHas#^rO>W`d| z$E}^aEGbdQ`6Jnkiye|_sp}e4vaADGm)r5YdZfZIk@JOEV?DtqgHc5y6LaR?Qws`C z&(C+}T31T3T)NR^Ikhi9U3DGlnFTLsFYveY5|4(M(BH;vEbIR;;2T-oV?NXqz-vP7 zKP;rA?-kleD|1x0=4A?>Rd6?|vkJ|s6Pd6k|6a#7FuoX*tWJJmUWMeuhmRJwq8DbH z`|dngGe~(Q^2J;nYlYC+cD+*4-VAjp&S6&)-eiB3v`^v_W|!fb)*54_P_BG56VuDp zL;mh2Uudx47R!e092qNp%lLZk+jcm7OgM zopDbf==jbkDy0fyJEV?tFswWflpnR3e@7XhO2DKi-%4b`mhQ2={r}8>!eTVP_u^6@uyj9DW6w}M2^DbrZ|p&TdSkq92f9Me%MPJ{ES}oOi#HYj$09bbp5dJ$Nzngfe?j9T1b3Kp!r6_Dzwr z$h4gQIW{l0NO<5_NfaM%=N8Gaw65aw2fHC&A+F18!`cns2_~Wiv%*QmPXx?ZtS{v~ zl5pv-`Mim*ZE+tM-q7F1CGnUFQ>63UHZaO(jkF5RT@gCpT_?%JT_9vz#ATo8)fTFS zlDN!6I}-U-&N`p*RbG*9KK1lF%WWqHe*Ts0&)GvTVZ+h+!7Uau>6ipvN)^d{C))gu z?6C_^po0%CV{%pJic|xws@RpU3yFyO9<5rAFiwt4n?4G%U7R8$-(#D%#&KPgld*dE z9M3ete`#30UEgBIYr9wEj9U2;>d@HBLvjbJEmX8uShINH-b^&@RjSrQaDNFouKh(Z zQp!n}qG{>cdy^Xs0jb&Ziu*OkCA`ZyI~ip}-0#$AwM+>H9ph5JMh_?N-=@@@q_=mj z-a>lGak>*TdMB9CEy3L|(f-_{LktkS#EdT1{d-2Q|F!F91-_O={hra0{ZS6peH+-u z9{sBht*CXKTQ-6%G@1peStma7NUUYvzu4)c$8`X>=d|BResK0%L5GsEJc8pAd(`nT z%MaVFF@x4KT)FNNp0yK)EcHTr5C$5JF+*cqyt3!fE+0xGl0IQfN$YMMHOhXRr?I;l zH6!3adOy%ke%KYVXrY^v-fKi^monC)cJKQQlupH6 z2Q+WuiCcdK*W5h>>grx;)uH8Wk4Caf`Xiy>ljI~RJd#g^I(js{LPj`=wQ5vVe$Bf3 zno~Na2b#a%LLBE+aGbTlI+1997VUt%b_cO&|7QJr(Owc9Ls}2M1~@h-VEAjCWf$d5 zh!xg3M0YMCLvvQ)XSE`E1QW zBaW>jKTwqTj8mg9;2aeAX@9B{s*m6!s#CP*cXc*MfcuU5a8RB4cm7f*4{_v(Gk9>2 z*JGLiI4f#MtQ%UYw@F%MWYjtp(Wntj7TKS}++qW8vTnIc(546o%5tv*Gtupe7dsoy zYAq8!t^%n80iPM>H$j!INqc-&url3Pc zqFVRkrl2Y0Vl)2eICYx0ThnsmuEP&$de}wlY<$}@^OjEep>cH{Zxw4qzB?jWaP%Ir z6#29BPsMkgO%Cqflg?SJ<|(Jj8D)CeX2jV#V|0%o#Kk{w10> zsown%U4rYM6r|kNMn)8d1%6RwJ+ZBMQefp!0Ak(Ncmi*7ckeMKQfRvB``cTQyybP_ zUZOXd7vv-hur=y9Q?i5a^xQs4fdio^GFR%2r3yqqk&SCcHhkZ=x~C?RHl!o)ERFBW z#|(Dw7&LW7EhPu-#iPw#&Fd7$+7i$C6rMmX=RdifN#l47FhR_W<9OjD&uG}#G5dDd zh%hC^sY`wzk}dDzvBj4wx|gGC@J)iARZH2rnnDQGkPE@GPlmTuwiB2FO&{*`WO&#! zpS%xc=_M#h>bP}L5jy9h0N7>Iz4Y;^w&upiG8G|iVi7-7JR6vr+a^s(Drig1Tb80r tnFm|)-w;)X8iW0ZwFz_j`9iJf58c Date: Mon, 11 Sep 2017 09:26:33 -0700 Subject: [PATCH 092/147] Fix small OCSP parser bug. It turns out that the serial number field in all events was never populated correctly. Instead, the previous field (issuer key hash) was re-read and repeated in all events. --- src/file_analysis/analyzer/x509/OCSP.cc | 1 + .../.stdout | 2 +- .../ocsp.log | 6 +++--- .../.stdout | 2 +- .../.stdout | 4 ++-- .../ocsp.log | 6 +++--- .../.stdout | 2 +- .../ocsp.log | 6 +++--- .../.stdout | 16 ++++++++-------- .../ocsp.log | 12 ++++++------ 10 files changed, 29 insertions(+), 28 deletions(-) diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 2b3d9f5fd2..02c9274999 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -71,6 +71,7 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio) BIO_reset(bio); i2a_ASN1_INTEGER(bio, cert_id->serialNumber); + len = BIO_read(bio, buf, sizeof(buf)); vl->append(new StringVal(len, buf)); BIO_reset(bio); } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout index 4678baf15d..45bec12af2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout @@ -1,3 +1,3 @@ ocsp_response_status, successful -ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0 +ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 3D474496FF942316, good, 0.0, , 1436577056.0, 1437181856.0 ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log index bdb8384676..3c092fce95 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-10-23-35-49 +#open 2017-09-11-16-24-17 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000 -#close 2017-02-10-23-35-50 +1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 3D474496FF942316 good - - 1436577056.000000 1437181856.000000 +#close 2017-09-11-16-24-17 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout index ca94887c05..293ea05c75 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout @@ -1,2 +1,2 @@ request, 0, -request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout index 3996bbd84f..0f3ad8f536 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout @@ -1,5 +1,5 @@ request, 0, -request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE +request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9 ocsp_response_status, successful -ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log index 3707e84c48..a2ea3b6893 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-41 +#open 2017-09-11-16-24-41 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 -#close 2017-02-11-00-00-41 +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 good - - 1434665014.000000 1434794614.000000 +#close 2017-09-11-16-24-41 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout index 230e80b4cd..7ca240f05c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout @@ -1,3 +1,3 @@ ocsp_response_status, successful -ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0 +ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log index e897453b5c..306819f251 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-52 +#open 2017-09-11-16-24-53 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000 -#close 2017-02-11-00-00-52 +1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 good - - 1434665014.000000 1434794614.000000 +#close 2017-09-11-16-24-53 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout index 545f761acc..5e444491b2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout @@ -1,20 +1,20 @@ request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87 ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4 ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption request, 0, -request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A +request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A ocsp_response_status, successful -ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 +ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log index 58b226320d..387342197a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path ocsp -#open 2017-02-11-00-00-56 +#open 2017-09-11-16-25-05 #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate #types time string string string string string string time string time time -1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 -1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 -1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 -1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 -#close 2017-02-11-00-00-56 +1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000 +1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000 +1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000 +1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000 +#close 2017-09-11-16-25-05 From 1a6b6f2586556ca0fdaee2dbae6a04936cda08dd Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 11 Sep 2017 21:02:07 -0500 Subject: [PATCH 093/147] Updating CHANGES and VERSION. --- CHANGES | 7 +++++++ VERSION | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a1b2729cf4..2bd08b9cf1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.5-297 | 2017-09-11 09:26:33 -0700 + + * Fix small OCSP parser bug; serial numbers were not passed to events + (Johanna Amann) + + * Fix expire-redef.bro test. (Daniel Thayer) + 2.5-294 | 2017-08-11 13:51:49 -0500 * Fix core.truncation unit test on macOS. (Jon Siwek) diff --git a/VERSION b/VERSION index 303202a260..a5ed34e608 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-294 +2.5-297 From 75647a448c2efa84c79b4788e4f1740572daf524 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 15 Sep 2017 12:15:54 -0500 Subject: [PATCH 094/147] Add test to verify that log rotation works with gzipped logs --- .../frameworks/logging/ascii-gz-rotate.bro | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro new file mode 100644 index 0000000000..2a1c388322 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro @@ -0,0 +1,25 @@ +# Test that log rotation works with compressed logs. +# +# @TEST-EXEC: bro -b %INPUT +# @TEST-EXEC: gunzip test.*.log.gz +# + +module Test; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + s: string; + } &log; +} + +redef Log::default_rotation_interval = 1hr; +redef LogAscii::gzip_level = 1; + +event bro_init() +{ + Log::create_stream(Test::LOG, [$columns=Log]); + + Log::write(Test::LOG, [$s="testing"]); +} From 7e374f8c3f800b7fc2cdd4cf36dab753d3013754 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Fri, 15 Sep 2017 20:30:39 -0500 Subject: [PATCH 095/147] Updates the SSH analyzer to support the "curve25519-sha256" KEX. From the OpenSSH 7.4 changelog: sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org". --- src/analyzer/protocol/ssh/ssh-protocol.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 28b0379999..3b147f6b6e 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -410,7 +410,7 @@ refine connection SSH_Conn += { return true; if ( update_kex_state_if_equal("ecmqv-sha2", KEX_ECC) ) return true; - if ( update_kex_state_if_equal("curve25519-sha256@libssh.org", KEX_ECC) ) + if ( update_kex_state_if_startswith("curve25519-sha256", KEX_ECC) ) return true; From a4d25c882870ee1517898896e02cc09a2821b623 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 18 Sep 2017 11:38:14 -0700 Subject: [PATCH 096/147] Make "in" keyword work with binary data. This switches in from using strstr to use strnstr (implementation from FreeBSD on systems which do not bring their own implementation). It is especially likely that users come accross this when using the DATA_EVENT analyzer with files that contain binary data - the test uses exactly this case. --- src/Expr.cc | 5 ++--- .../.stderr | 0 .../.stdout | 3 +++ .../scripts/base/files/data_event/basic.bro | 20 +++++++++++++++++++ 4 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout create mode 100644 testing/btest/scripts/base/files/data_event/basic.bro diff --git a/src/Expr.cc b/src/Expr.cc index 9927ca52ec..bea43ff7c4 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -4351,9 +4351,8 @@ Val* InExpr::Fold(Val* v1, Val* v2) const const BroString* s1 = v1->AsString(); const BroString* s2 = v2->AsString(); - // Could do better here - either roll our own, to deal with - // NULs, and/or Boyer-Moore if done repeatedly. - return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL); + // Could do better here e.g. Boyer-Moore if done repeatedly. + return new Val(strstr_n(s2->Len(), s2->Bytes(), s1->Len(), reinterpret_cast(s1->CheckString())) != -1, TYPE_BOOL); } if ( v1->Type()->Tag() == TYPE_ADDR && diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout new file mode 100644 index 0000000000..ddfdf71f06 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout @@ -0,0 +1,3 @@ +Found +Found +Found diff --git a/testing/btest/scripts/base/files/data_event/basic.bro b/testing/btest/scripts/base/files/data_event/basic.bro new file mode 100644 index 0000000000..2877155ebb --- /dev/null +++ b/testing/btest/scripts/base/files/data_event/basic.bro @@ -0,0 +1,20 @@ +# Just a very basic test to check if ANALYZER_DATA_EVENT works. +# Also check if "in" works with binary data. +# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: btest-diff .stderr + +event stream_data(f: fa_file, data: string) + { + if ( "Windows" in data ) + { + print "Found"; + } + } + +event file_new (f: fa_file) + { + Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, + [$stream_event=stream_data]); + } + From c1f8e3baec94752cc8d38bae64d03f4961beef8c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 18 Sep 2017 14:07:12 -0700 Subject: [PATCH 097/147] Remove annoying error message from connsize bifs. The connsize bifs used to output a reporter message when they could not find the associated connection. This patch disables this message; it is not useful and can happen during normal operation when trying to use thresholding on short-lived connections. This case is still reported by the boolean value that the respective functions return. --- src/analyzer/protocol/conn-size/functions.bif | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif index a05359a17b..225e9db913 100644 --- a/src/analyzer/protocol/conn-size/functions.bif +++ b/src/analyzer/protocol/conn-size/functions.bif @@ -5,10 +5,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid) { Connection* c = sessions->FindConnection(cid); if ( ! c ) - { - reporter->Error("cannot find connection"); return 0; - } analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE"); if ( ! a ) From 2a873f5aeddb1dc161c0ff64e566461bf225d9dc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 18 Sep 2017 14:33:22 -0700 Subject: [PATCH 098/147] Prevent crash when calling bro -U [unwritable destination] set_processing_status can be called before reporter is initialized or after it is deleted. Work around by sending data to stderr instead. Patch by Thomas Petersen. --- src/util.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/util.cc b/src/util.cc index acfcb19573..a035da1739 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1397,8 +1397,12 @@ void _set_processing_status(const char* status) { char buf[256]; strerror_r(errno, buf, sizeof(buf)); - reporter->Error("Failed to open process status file '%s': %s", - proc_status_file, buf); + if ( reporter ) + reporter->Error("Failed to open process status file '%s': %s", + proc_status_file, buf); + else + fprintf(stderr, "Failed to open process status file '%s': %s\n", + proc_status_file, buf); errno = old_errno; return; } From fc33bf2014704fe0ae512b76dae64de7fc5e83ac Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 18 Sep 2017 14:43:42 -0700 Subject: [PATCH 099/147] Make strerror_r portable. This uses the same code that broker already uses to determine if we use the XSI or gnu version of strerror_r. Patch by Thomas Petersen. --- CHANGES | 18 +++++++++++++ VERSION | 2 +- src/File.cc | 8 +++--- src/Flare.cc | 2 +- src/Pipe.cc | 2 +- src/PolicyFile.cc | 2 +- src/analyzer/protocol/tcp/TCP_Endpoint.cc | 2 +- src/file_analysis/analyzer/extract/Extract.cc | 2 +- src/input/readers/raw/Raw.cc | 6 ++--- src/logging/writers/ascii/Ascii.cc | 2 +- src/threading/BasicThread.cc | 2 +- src/util.cc | 27 ++++++++++++++++--- src/util.h | 6 +++++ 13 files changed, 63 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index 3e2b575dd6..71be3f743b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,22 @@ +2.5-306 | 2017-09-18 14:43:42 -0700 + + * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen) + + * Prevent crash when calling bro -U. (Thomas Petersen) + + * Remove annoying error message from connsize bifs. (Johanna Amann) + + * Add test to verify that log rotation works with gzipped logs (Daniel Thayer) + + * Fix ascii writer to not discard a ".gz" file extension. (Daniel Thayer) + + When Bro writes a compressed log, it uses a file extension of ".gz". + However, upon log rotation the ascii writer script function + "default_rotation_postprocessor_func" was discarding the ".gz" + file extension. Fixed so that the correct file extension is + preserved after rotation. (Daniel Thayer) + 2.5-297 | 2017-09-11 09:26:33 -0700 * Fix small OCSP parser bug; serial numbers were not passed to events diff --git a/VERSION b/VERSION index a5ed34e608..e018451797 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-297 +2.5-306 diff --git a/src/File.cc b/src/File.cc index 7c4a21d5e8..e0e0d63332 100644 --- a/src/File.cc +++ b/src/File.cc @@ -302,7 +302,7 @@ FILE* BroFile::BringIntoCache() if ( ! f ) { - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("can't open %s: %s", name, buf); f = fopen("/dev/null", "w"); @@ -313,7 +313,7 @@ FILE* BroFile::BringIntoCache() return f; } - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("can't open /dev/null: %s", buf); return 0; } @@ -323,7 +323,7 @@ FILE* BroFile::BringIntoCache() if ( fseek(f, position, SEEK_SET) < 0 ) { - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("reopen seek failed: %s", buf); } @@ -413,7 +413,7 @@ void BroFile::Suspend() if ( (position = ftell(f)) < 0 ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("ftell failed: %s", buf); position = 0; } diff --git a/src/Flare.cc b/src/Flare.cc index 5df6d663aa..87dc946955 100644 --- a/src/Flare.cc +++ b/src/Flare.cc @@ -16,7 +16,7 @@ Flare::Flare() static void bad_pipe_op(const char* which) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->FatalErrorWithCore("unexpected pipe %s failure: %s", which, buf); } diff --git a/src/Pipe.cc b/src/Pipe.cc index 3f60409fdb..3775ca705d 100644 --- a/src/Pipe.cc +++ b/src/Pipe.cc @@ -12,7 +12,7 @@ using namespace bro; static void pipe_fail(int eno) { char tmp[256]; - strerror_r(eno, tmp, sizeof(tmp)); + bro_strerror_r(eno, tmp, sizeof(tmp)); reporter->FatalError("Pipe failure: %s", tmp); } diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc index bd41c15e9d..22f09e6970 100644 --- a/src/PolicyFile.cc +++ b/src/PolicyFile.cc @@ -84,7 +84,7 @@ bool LoadPolicyFileText(const char* policy_filename) if ( fstat(fileno(f), &st) != 0 ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("fstat failed on %s: %s", policy_filename, buf); fclose(f); return false; diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index 7c359623f3..c3175ec9f5 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -229,7 +229,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen, if ( fwrite(data, 1, len, f) < unsigned(len) ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("TCP contents write failed: %s", buf); if ( contents_file_write_failure ) diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index c758414a6e..f936a5156b 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -20,7 +20,7 @@ Extract::Extract(RecordVal* args, File* file, const string& arg_filename, { fd = 0; char buf[128]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("cannot open %s: %s", filename.c_str(), buf); } } diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc index ae1f0939a8..27d8b0c685 100644 --- a/src/input/readers/raw/Raw.cc +++ b/src/input/readers/raw/Raw.cc @@ -90,7 +90,7 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags) return true; char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("failed to set fd flags: %s", buf)); return false; } @@ -197,7 +197,7 @@ bool Raw::Execute() else { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); Warning(Fmt("Could not set child process group: %s", buf)); } } @@ -293,7 +293,7 @@ bool Raw::OpenInput() if ( fseek(file.get(), pos, whence) < 0 ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("Seek failed in init: %s", buf)); } } diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index dec1689df4..baaba22665 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -414,7 +414,7 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t if ( rename(fname.c_str(), nname.c_str()) != 0 ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); Error(Fmt("failed to rename %s to %s: %s", fname.c_str(), nname.c_str(), buf)); FinishedRotation(); diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc index d63b307470..3b6f5d6532 100644 --- a/src/threading/BasicThread.cc +++ b/src/threading/BasicThread.cc @@ -98,7 +98,7 @@ const char* BasicThread::Strerror(int err) if ( ! strerr_buffer ) strerr_buffer = new char[256]; - strerror_r(err, strerr_buffer, 256); + bro_strerror_r(err, strerr_buffer, 256); return strerr_buffer; } diff --git a/src/util.cc b/src/util.cc index a035da1739..a2f0cb8c94 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1012,7 +1012,7 @@ FILE* open_file(const string& path, const string& mode) if ( ! rval ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); reporter->Error("Failed to open file %s: %s", filename, buf); } @@ -1396,7 +1396,7 @@ void _set_processing_status(const char* status) if ( fd < 0 ) { char buf[256]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); if ( reporter ) reporter->Error("Failed to open process status file '%s': %s", proc_status_file, buf); @@ -1616,7 +1616,7 @@ void safe_close(int fd) if ( close(fd) < 0 && errno != EINTR ) { char buf[128]; - strerror_r(errno, buf, sizeof(buf)); + bro_strerror_r(errno, buf, sizeof(buf)); fprintf(stderr, "safe_close error %d: %s\n", errno, buf); abort(); } @@ -1749,3 +1749,24 @@ std::string canonify_name(const std::string& name) return nname; } + +static void strerror_r_helper(char* result, char* buf, size_t buflen) + { + // Seems the GNU flavor of strerror_r may return a pointer to a static + // string. So try to copy as much as possible into desired buffer. + auto len = strlen(result); + strncpy(buf, result, buflen); + + if ( len >= buflen ) + buf[buflen - 1] = 0; + } + +static void strerror_r_helper(int result, char* buf, size_t buflen) + { /* XSI flavor of strerror_r, no-op. */ } + +void bro_strerror_r(int bro_errno, char* buf, size_t buflen) + { + auto res = strerror_r(bro_errno, buf, buflen); + // GNU vs. XSI flavors make it harder to use strerror_r. + strerror_r_helper(res, buf, buflen); + } diff --git a/src/util.h b/src/util.h index a2c1b78db3..30ef8a61da 100644 --- a/src/util.h +++ b/src/util.h @@ -516,4 +516,10 @@ struct CompareString */ std::string canonify_name(const std::string& name); +/** + * Reentrant version of strerror(). Takes care of the difference between the + * XSI-compliant and the GNU-specific version of strerror_r(). + */ +void bro_strerror_r(int bro_errno, char* buf, size_t buflen); + #endif From 5243a054efc192300fe70be8888bc5d491cbb766 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 19 Sep 2017 09:23:09 -0700 Subject: [PATCH 100/147] Fix segmentation fault on eval condition with no return value. Signatures using an eval-condition that had no return value caused a segmentation fault. This fix just returns false in this case, as it is done for an interpreter error. --- src/RuleCondition.cc | 9 +++++++-- .../.stderr | 3 +++ .../.stdout | 3 +++ .../eval-condition-no-return-value.bro | 20 +++++++++++++++++++ 4 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr create mode 100644 testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout create mode 100644 testing/btest/signatures/eval-condition-no-return-value.bro diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 9df70f118b..bdf31b50bc 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -175,8 +175,13 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state, try { Val* val = id->ID_Val()->AsFunc()->Call(&args); - result = val->AsBool(); - Unref(val); + if ( val ) + { + result = val->AsBool(); + Unref(val); + } + else + result = false; } catch ( InterpreterException& e ) diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr new file mode 100644 index 0000000000..a5c39c9247 --- /dev/null +++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr @@ -0,0 +1,3 @@ +1329843162.083353 warning: non-void function returns without a value: mark_conn +1329843164.920456 warning: non-void function returns without a value: mark_conn +1329843200.079930 warning: non-void function returns without a value: mark_conn diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout new file mode 100644 index 0000000000..9f4b814adb --- /dev/null +++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout @@ -0,0 +1,3 @@ +Called +Called +Called diff --git a/testing/btest/signatures/eval-condition-no-return-value.bro b/testing/btest/signatures/eval-condition-no-return-value.bro new file mode 100644 index 0000000000..b1a4f5781f --- /dev/null +++ b/testing/btest/signatures/eval-condition-no-return-value.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: btest-diff .stderr + +@load-sigs blah.sig + +@TEST-START-FILE blah.sig +signature blah + { + ip-proto == tcp + src-port == 21 + payload /.*/ + eval mark_conn + } +@TEST-END-FILE + +function mark_conn(state: signature_state, data: string): bool + { + print "Called"; + } From ed678dd72c25a15e050660f0304ca361e5704c13 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 19 Sep 2017 09:38:08 -0700 Subject: [PATCH 101/147] Add -B scripts flag to allow debug output of script load order. This patch adds a "scripts" option to -B, when Bro is enabled with --enable-debug. This option will output information about the scripts that are loaded to debug.log, showing their exact load order. --- src/DebugLogger.cc | 3 ++- src/DebugLogger.h | 1 + src/scan.l | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 6a095a15db..07590590df 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -19,7 +19,8 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "logging", 0, false }, {"input", 0, false }, { "threading", 0, false }, { "file_analysis", 0, false }, { "plugins", 0, false }, { "broxygen", 0, false }, - { "pktio", 0, false }, { "broker", 0, false } + { "pktio", 0, false }, { "broker", 0, false }, + { "scripts", 0, false} }; DebugLogger::DebugLogger() diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 3ec3979e7f..1eb8e30417 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -33,6 +33,7 @@ enum DebugStream { DBG_BROXYGEN, // Broxygen DBG_PKTIO, // Packet sources and dumpers. DBG_BROKER, // Broker communication + DBG_SCRIPTS, // Script initialization NUM_DBGS // Has to be last }; diff --git a/src/scan.l b/src/scan.l index 4fd2aac1c3..215b5d7c30 100644 --- a/src/scan.l +++ b/src/scan.l @@ -636,6 +636,8 @@ static int load_files(const char* orig_file) broxygen_mgr->Script(file_path); + DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str()); + // "orig_file", could be an alias for yytext, which is ephemeral // and will be zapped after the yy_switch_to_buffer() below. yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE)); From 4ec7d66468be4b8756fba8458f451a857b03d5f1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 20 Sep 2017 10:51:09 -0500 Subject: [PATCH 102/147] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 1ab5ed3d3b..e3fbf9145d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8 +Subproject commit e3fbf9145d9f4c8d23d369377a5b2a46450f4bed From 8403fd9f942a45355dc3f1c56abe6717fb605411 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 20 Sep 2017 11:04:04 -0500 Subject: [PATCH 103/147] Updating CHANGES and VERSION. --- CHANGES | 5 +++++ VERSION | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 71be3f743b..9075752ca7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.5-307 | 2017-09-20 10:51:09 -0500 + + * BIT-1846: Updating broctl submodule to include fix for symlinking + issue (Jon Siwek) + 2.5-306 | 2017-09-18 14:43:42 -0700 * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen) diff --git a/VERSION b/VERSION index e018451797..0c08066503 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-306 +2.5-307 From 6b864d5dd24830672e2cdb030ab64e78f5f36d38 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Thu, 21 Sep 2017 10:50:26 -0400 Subject: [PATCH 104/147] problem: gridftp threshold is being applied to all connections The bytes_threshold_crossed event in the gridftp analyzer is not first checking to see if the connection passed the initial criteria. This causes the script to add the gridftp-data service to any connection that crosses a threshold that is the same as or greater than the gridftp size_threshold. --- scripts/base/protocols/ftp/gridftp.bro | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro index 68be66d53a..5090eebb3d 100644 --- a/scripts/base/protocols/ftp/gridftp.bro +++ b/scripts/base/protocols/ftp/gridftp.bro @@ -74,6 +74,8 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is { if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time ) return; + if ( ! data_channel_initial_criteria(c) ) + return; add c$service["gridftp-data"]; event GridFTP::data_channel_detected(c); From 411144bcf5fff8763d21ad48c44205d002262957 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 21 Sep 2017 10:11:54 -0700 Subject: [PATCH 105/147] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index e3fbf9145d..e960be2c19 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit e3fbf9145d9f4c8d23d369377a5b2a46450f4bed +Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc From fa88646eec440d72c8f6b6924152f91f59fc2555 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Thu, 28 Sep 2017 09:34:38 -0400 Subject: [PATCH 106/147] problem: broctl can trigger intel reporter error a broctl print triggers this error Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr]) /usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 39 when broctl connects p$descr is empty. It should probably be set to 'control' somewhere inside broctl, but that would only fix broctl, not other clients. diff --git a/aux/bro-aux b/aux/bro-aux index 02f710a43..43f4b90bb 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8 +Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011 diff --git a/aux/broctl b/aux/broctl index e960be2c1..d3e6cdfba 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc +Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723 diff --git a/aux/btest b/aux/btest index 2810ccee2..e638fc65a 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a +Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro index 820a5497a..e75bdd057 100644 --- a/scripts/base/frameworks/intel/cluster.bro +++ b/scripts/base/frameworks/intel/cluster.bro @@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer) { # When a worker connects, send it the complete minimal data store. # It will be kept up to date after this by the cluster_new_item event. - if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER ) + if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER ) { send_id(p, "Intel::min_data_store"); } --- scripts/base/frameworks/intel/cluster.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro index 820a5497a2..e75bdd0573 100644 --- a/scripts/base/frameworks/intel/cluster.bro +++ b/scripts/base/frameworks/intel/cluster.bro @@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer) { # When a worker connects, send it the complete minimal data store. # It will be kept up to date after this by the cluster_new_item event. - if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER ) + if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER ) { send_id(p, "Intel::min_data_store"); } From d7fbaad0247d3c49e54db574e59af8447d2f4082 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 5 Oct 2017 14:36:13 -0500 Subject: [PATCH 107/147] Add btest for new SSH curve25519 KEX --- .../ssh.log | 10 ++++++++++ .../btest/Traces/ssh/ssh_kex_curve25519.pcap | Bin 0 -> 12946 bytes .../base/protocols/ssh/curve25519_kex.test | 6 ++++++ 3 files changed, 16 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log create mode 100644 testing/btest/Traces/ssh/ssh_kex_curve25519.pcap create mode 100644 testing/btest/scripts/base/protocols/ssh/curve25519_kex.test diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log new file mode 100644 index 0000000000..4364419aff --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssh +#open 2017-10-05-19-34-53 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key +#types time string addr port addr port count bool count enum string string string string string string string string +1505524964.630115 CHhAvVGS1DHFjwGM9 192.168.1.100 60906 192.168.1.32 22 2 T 2 - SSH-2.0-OpenSSH_7.4 SSH-2.0-OpenSSH_7.5 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256 ssh-ed25519 e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 +#close 2017-10-05-19-34-53 diff --git a/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap b/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ed31228eec65639580593c4b55e3209a0e068f85 GIT binary patch literal 12946 zcmdsdcRZEv|Nm|8ooI+;q>wEmBYPw>QQ5~x*)k$38uln7GPC!lMaeEnRw|-ILMmkY zUe}THemlnd^XKpJI}aE4x$o;dU(eU`HLmNvkB-{nWLyLv`R9d?;D9$@ydE1&M3EpG z;24fJ%~&n|V?rVlZ#o-^5d{R1xm7HK$Pn`K*JR>YfWb08itJ2K$`*%6g}5s#i60OI z7oVUM2M><`2Zxx{!qD9gUc<*-MSmDaf~bP`aIE64+CZaA0s{cOd>A4_3&_s#QK{VP zFMtJ!Bw9xn!R%FZd|YBu1|tDshz=|fLEggv`8Ys@V*_uYg9#8hL<@_z1VFFzrKYB@ z^+k}seC;7JL^Quog6IP@I5r@vI2?qCip85EGE&p8JY0{cqod3tz{|&T(g9@$j*Ufm zg(yg&8N8H#h;NWYsOUE|gTII+Nga?x)0Z0g+#bJb29Op3a@a$}n`QqH-+-u6G=)a| zx+x+f@|mI?gD3$JHxd_KC0+o`Y^`|kGiZj37fT;apm;A@aW#xSE`YoQB<@v3g7gv~ z=z*;`!OMw4i1<8xQ$(P+oZfmw1R=OXwnIw)?QfIm$}|bn8^7&~DRIFZK66*6ODF+h zVSX_lXKPadVG-^PXJjtem^nLJ^V&OEaih#FtkDyB>};G}9N>JcQ-Vi@uulmK@N-+( zSX$bkc&t$uE?hLVu$g8%4tSJxTXoCCkm zw#Ly{`MFWb#1`o<&RWx&ylMBx!K7JW{kjzjebNh?jaDtPwDbJP{ z|9+YqPJ*)YK>sjrpsIf%pp7I=P)uO$5Lj6|gcGdHFJgZV&e-HM8qUld z1GjpJhBE_U`+tv6r|U&ia~=^P9+b;^AJONbJJ=Vj;Rn$90^QpBD#)fSukvrW@|VUs znb#<+JGst0_doAo@~*vuq5uEZvE6p|b|`L7&=1$?0#5+9x4#M|Y<$5^&-#!AIS;lR za9}S{IA@EdVW-Dy$6BI#(Tg5fqNW#CJ3Ux8j)5i01-xS;-7&(S@SRDl%iU5iZsZ+D z+$mt0WN31FjRCk5yL&S=6q!>i(SRz72GwAKc-1=Dh z<0dE-jDQWyT+3xlEUjQHA!0i~bOP+*z}^QS7E`I{eZZbgIWkg{xv^t7CIF6B0EC-x zANb93BclFrqq0}s5jmzwa)u-3QF|Hv^&{o`C~Lkh+$GZB1arU(GI(mbtxtc@KFx0Q zsgM!v6AQ*CYv5A?S|vwPWCrX$;J{W1ccf?*BI3$zipYq}c^F|3FF-`_ZiavUknm zOm@r)wdH=8e9|~lU!HV-X^Q-MZc@zg~ji znCxF3g10PXrS|(vuXujlGx3Y_&TbhdwKSa%l43+NRI=T3{tg9cV2;klkIC>fxgIV$ zvoe3V#>Uc2h|~@zV9KJ=KlDVIhQBC{f$EfCM0bgRZ=R{Z@vzI^)h}6mwiOXzy6gY0 zD6!XtD!v@-Oc9ojBNXAuFa6Y#RKh}&0-PR8RlgKkroEHh|7yS7fUytD7N(m|a!KMZ z`V74D5pDSFF02|%&?_B$NU}H2$NEC6Vmo(UmlE>Uhg{DMPqTQwGi*OHbSmZhTc=3f zeTB7Y98!1y_V0_Flz#0HK|F??`K%%XAjo6Aa`MxV{Fmvslr#>k8*{z7Wdp$ zx~O16`FU39=+%TKb{wYV^F8zvhD=-v?6H@jG0Jl zv#5+H%061VYwGmrLXdJ}(ip+61JG5#b0e>xzd6+m3`XM;i} zMGI)e#!V4HZzB?0kJ$b7=~L#{i2|hW!`Yge0H(d9;%QGviJk)RK ztyfObr+*7tfATMXHmE5iBnquxtHe@M7pOT1a%#CU45MZzP%{Z49+f6TZh+Xpu>sNj zcK}4JML(f{KCM0jDO^Pa@foaIkLZ?|_O$?K34c;}p1YuurQz{Qr>K^Nl)Q(+We1qq zEYFrKbcBj7T#@Gp`}D)Fv8XLP&T5Ppf66O-qRPHTGw95a~SrH8VYfwoSTlwsO+Gj%=IrUY0)|o|Mv5@T)kcA<_BsF zulSz+$kJh3agVq|(!D;YA(k_nw5yIM?Lfwk%JhjB-hLP6D4DB6cPS8ZDAt#qQ20g> z86@`Z%A-ilRt4qKX?4**+7TII@*l2OWj&Wo>F}@lMYY#4XSRNp-=sg%Uh|J<1?tD6 zC>cD;V_8TVG1+lKd^aUx`NnAtVF8`T-jRVh%P6n@kIC^$ik$kzk4yz@Dh{c?N&aT* zm7u%inJ&tCBT6pd28y;RWRfft3GOERVi?F$XD=kx3e_#q-Zop7(Afgx^{;HXMVX*f z^uU)9hk6A(X@h+c#3~JBOBdA%gL56GWd@PlO@T-7+^UT_qW)+E9hGm4XW*-DdnZ`s z(J~=c#3^}SS)UJD{|&5foh^Slp!MqA>tkE=0A!0e%$D+gOl;pl1`zSQ4jEDoG6jwe z*^-&c0TF5SHbn&4!U1m4{`Pq^VpaEDCj$ML?QPDEEP zXGWyLiQOudx*=aO_fF0j=RJ=h@s0z{PAm@wT{Xk0EmBA6qf$^btnJ;I`-p38K2RI| z=zV~nD#i0hE{!Rl^<%e+Y(gr@QA35;DDUfprV?cHbGO5-6(bpAm3K1B_bcA(@@76` zbby0fwPPH2z{XYl9xoBsCy#iq$3e;uk9(UxM&@N&rOyzbF}_|sgd5yp(A@uMfR}rx zc}i+bywdmC=+pa^_ur{}wq(Jmw(#cHifg$$#Vhrcr)N=DPw+kvt!4N#>D+a%4o{s@ ztBS1t1_4d5zEwx#8M?9}s=1AC>w z@hw`0QN&Bb%1ZGBr4mMvl^mo(n5@hIS^4g6?{1Z7HSKr!N$s_R1oSEyBW6JnlQfOQ z>DAJylPouw-X35lqj5&@KQNUhmmkaWJ7oUps#Z;O(lWPl*N5v-UGy0likv=oaQa4* z4!1qn{fnf)Fh2uddJh}@?lDIlBK0~=YAqThj91!oEHz#G-QWx>rIB|=pGVGY!9bbF z?oYG4-5+Ik*ZDQ7tA<7-JdTZbpj8=jeJFkD_b1`~CRuo2cezrGTyy$46JHwl05@tl z`ec49E1smgWYM#$4_S+RDwV7QC@ZK@KYwTiy-qZsPn1>JUAve-lCm=2MuNjF``ahu zu<>u{yVq#jI6_5pyp}xtd&>BFEcggNmk0Kj_#b@yYI4v(&iG)Jfa!>-uuF;so#~a9 z;Dp8x+Er6x#Hgg;xjVE2-0IJslJn8M&l`$5R!?N!w%gZ)^pXXJfa zMi^jp_8V+hwUZxUbn0o>*H{VIo!!0xs&=~cpZl&}P_-ElvDb6q#Y7Iyl;8+j^$vd;GwMCeNyK9BKdTvjR}-9e z>vRA4d=K$Jt;%$@v3l_V3vSI(!zQ24$6~$(+tD_Mg#?WxEEg6(l#%sGj4vvD|IPa? zv+5m^d}W16O^OD=P~D@K)1+Q>$I05rP793u;gd-l*}3EE!0TrkL{{p#f;5BYQfz(@ zbt+sh^vR5@SG!##T`cI$J6adU;+Akff4*!*nm{yXa3)P99M621XvFagt5D{d7UCLQ z5$&BtLw7sc&V8Rq_&$1*@Og9Pi@Czec7wC3h1R*w#x{rd`k!k5<*sR@CiC6KC6lU2 zp5)T}zJNHzspR*Ri41t3gU6TYR4jzJQzz7BUK=*wF16K^FQAcOLqu5T_VemoC8*dFD1TZO-FcOfwv4SgBAv;4*O1mCT|?!l$&XowYSTSUEymerj(X}t zU9y1}TkFEl4ZZNM-Ka~zPN2(T;UA1H{XmyIh$t3GhFk)gz=7Sh5bG0O5YYy!YeA&} zBIsKB$r!}15YbRWqU_oHn-&Q#7W^UBW($h=tobiT#$1EE<-B=hBFRT}C)yS}g62B+ zwy9BvsT9ZmA!mgwP|@4%;EHk3(Rsc;IsxF@*s>m&UE1oH=v08{e07NF@g(&~t81Bk zn`_&`6T5qVmQ~M6tKvA70_C|!NpykFQ}!L$ugNVQ(UZ4k%1df3RIH}rdTg(Kxf^np>fW3AR^&rrWq*WdgiN`yI+z)K-TtgW<7kNN3M%dW=v(WK2s zdTCe>ztvNqE2eumB+fr))I4&1JdWOq^4LQ>L#`4^S3j|boB|J3P6@sf41KIocK1$u zp~k6+-ZkNg?`dxkaZhk(=ygi%OEZ{)ZM4ThH z|G4f2ii+$chvSlTSN1;(YCMv*(w3HTht>pBJ^knWV_J3 zzIrN7gL=$|T`oTwQ#~V~9xEZD^0tT-==Ed;>ze?G7)S~b=klf2BMt$?m01M20@Q?K zgQ5<__-I8F*DD%Gx~8aV(ONzT4ugCcnYD4es;X;lM?gZOQcN-Se7Lyw^;jqWq`mm5 zx8XMbD{YDvfrW>n?3_JM3rbF2Ri0#(EAH;7OV`ngbF z#zw^g6=4U<$y@W!lZ3%Ya2O(nsNf;X01b`}{!JDWp#9s2<)7l3e@fsX`072i&=m_q zPm(=u`wgUiaX6NGo#nN6Xd4b{emu{7QuL57C66x8Dc6t+`^az|3jM^a3@+)#@!re_ z`F#_1l^-n3^^5R#>3=XEnuwx2oP3k2wxPqou^_fY#mvTk`P5=ZX-poEgN1TplaoeI zz)W@2yrO+vuVs?zx5hnQ=eR6;*rSfIa@@H{zEUt}CV7b!wg2qVch;RWITWu|n1e3K z-4fWVzQbmS%l3}t?9xXGZtgMP496@IjF1PO&%d@Kw z-j_%=IbAFF-_hTh*tpkMlc#Wqz* zjAjvs#lmcjg>>M07H4B5I#{b3rxsK`hvF_4=F%R1b3^|$)%!bYq-OYj={=!R%o?(k zsI1od1yW9-~vIHTU2*76RxRu?2Y;X)VQP~VuWtR0ul_R%Bq#K8b zDZe&BOaO?BS-cw&N7(U^OJJ7*2X@?Wtcyt?B3=rXVhL-Cb$r1n26kSa_i73qG!7o3 zJC@#BDyGyD#$+A;P36US$g(SKD2wV--!rDwxn0JC8s~=l7f$DJ4)}_@35XIl#`Db) z)>vqZ$L!8I<3`{>UTsr<=m)1ROUqJV;Qo|@ans~=&PNK#-{V@GRTmr3=}a$ebx_K! zH({HU`(Z$v?a1Y{IGK;Hq126BJankR8$b6o*NmQ2EFw9z&u!=`b$>|!y9J6|`!HQ* z*V&|IQa@u&t-8Je>BIGNCJJ4R6#T8!25eF9JXAsm8cMAychQ}?k9%sgFf=;dm-+m4 z?&-KxBQ2BW9a8i|b=RJ|aPHe3+m+Og`%P6YoG<$Mgy0B~hjCV`$VcY*%L=6>yVNBX z_TRk!W#wnwYqK7qf+#B2i>Mfe{=$=c9n-#5;=bfa+o57yAx*VUmAmDRz@E`>FjK}r z6t?Lvr0BfOS|5er_O&RKm93A0+u`r`WUK?!kE)O|mbPhsm~q7`8!3*{Ey8nuAF_|g z?>pgxy|m|W#y=i!j)d0zIPka2Q%Q85rf$rt;C7HzGZ_(>tZD=OrQ*L4U(-Xx;igRx zmjU8*#^2QgWE2LmMj9VU2RRDIhCGcaCPU|`1C~O|YYKII$0+m^qSiEMaO;NFpLk$- zTwd_=^CVe~jF|}UovP%Y$P$HWS|Tgh^q6o0nU?4Yj5 z=i~|Mx-&69JT>8z`@`X&+n+IhUT-B=3Ioy`t}-vR#dZ7Jf81m6AM|)s*NDE-%%*p7o2+H!e!FL9Abq^DV&C4;zF@!?EbHX zD#s0G>6pU4pU)A>)?TUOV{)l|nQ7}3blCgd$lxC>f_~?R5dw?NXN3=QMaPDJND31_ zwxBne_r}G#SRpN9*krJ0|Ad)qk9uELQLhm!_2n&V|RZT1^jypB^Qn);bLH;0K7>HhE2s z&TF_Y`PY;AP)tAGE3!Un;s@C}9o-A@Z&xQJbLZVPHY++%nXou$nE8@GAD0=wb?Q}l z`fqJZy#vgOQqcM|u)cNw?Y;%A_n+FBg`u$jPNjhz-s*F7Pw;J-&{K%WF0&otRU?Qf ze03AV5P-Ox_Iy3!SAdu`OpaKBT?HH)c5bI-A3{V|oJ|qIoua^*HALTF$dM>eT7xhl z?W~^S*y*vyP3(2lxYL7Yi6dj&v@fMUuriMDly8DodB@4OTdgV3aY?|6O9-eYFL*aI z`nTd4jKupa41I%7pJly@EBfSC;ww&gUUq)7A0fOe$ zR5G0wh)toTR+k9h&?QE-y);>J#rRtNr`S76yQQuM~qza?c5)kbRB37YuzwmXhm> zo^%Rc9H5{O_VGX8*6VSN`@pRwIjt4_n-a0Fx_(j};;WA;zs#Wt0?iy9){&)F0a zR4Rerdc-G`FBgRGe9!rGrtAX8Go0F-yx1O>VaBeQ^n0wkcbm0z9%%ant?B@)YdhKv z{lS4_540L~3(IPfRBl)od_FhQx8ABr#OIe$$9BvOW=Om@C8u*v_M19DG?6u{{E@wp zu}mZQQC#^qo1jPS<{u7P3nWs<1*){nn58kMu-__hfoyC6o2^y#M&Fr>wP3ONfM!EO zjYNN3&jupicl!r%L#7H9qgBO!4G{mGsa+sbKl)PR=%n9TMFcUz1(})!5tFw^q(SF? r>!ye_0P*HV#NmG-Zis Date: Mon, 16 Oct 2017 12:21:01 -0700 Subject: [PATCH 108/147] Updating submodule(s). [nomail] --- CHANGES | 4 ++++ VERSION | 2 +- aux/broctl | 2 +- aux/btest | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 2f517f5eda..378617437b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-327 | 2017-10-16 12:21:01 -0700 + + * Updating submodule(s). + 2.5-326 | 2017-10-05 14:34:20 -0700 * Update the SSH analyzer to support the "curve25519-sha256" KEX. diff --git a/VERSION b/VERSION index 4da989f1b2..8f5b04adbc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-326 +2.5-327 diff --git a/aux/broctl b/aux/broctl index e960be2c19..5c1cb0d54d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc +Subproject commit 5c1cb0d54d7814a58f1c0cc03c5be99aac0daf23 diff --git a/aux/btest b/aux/btest index 2810ccee25..154dd9f9b2 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a +Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393 From 6c0f101a62489b1c5927b4ed63b0e1d37db40282 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 16 Oct 2017 13:13:41 -0700 Subject: [PATCH 109/147] Patch OOB write in content-line analyzer. A combination of packets can trigger an out of bound write of '0' byte in the content-line analyzer. This bug was found by Frank Meier. Addresses BIT-1856. --- src/analyzer/protocol/tcp/ContentLine.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index f5dd7aaf07..a830cc8a7d 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -250,6 +250,16 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) case '\n': if ( last_char == '\r' ) { + // Weird corner-case: + // this can happen if we see a \r at the end of a packet where crlf is + // set to CR_as_EOL | LF_as_EOL, with the packet causing crlf to be set to + // 0 and the next packet beginning with a \n. In this case we just swallow + // the character and re-set last_char. + if ( offset == 0 ) + { + last_char = c; + break; + } --offset; // remove '\r' EMIT_LINE } From 9b59157d1928e2a1678bc81669d16a1dce358bc6 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 16 Oct 2017 14:34:26 -0700 Subject: [PATCH 110/147] Updating CHANGES and VERSION. --- CHANGES | 8 ++++++++ VERSION | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 378617437b..f776f2817a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.5-328 | 2017-10-16 13:13:41 -0700 + + * Patch OOB write in content-line analyzer. + + A combination of packets can trigger an out of bound write of '0' byte + in the content-line analyzer. Addresses BIT-1856. + (Frank Meier/Johanna Amann) + 2.5-327 | 2017-10-16 12:21:01 -0700 * Updating submodule(s). diff --git a/VERSION b/VERSION index 8f5b04adbc..a0bdbec59b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-327 +2.5-328 From 924ed053c7149db3b89735a16626629d8d0fc893 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 19 Oct 2017 10:27:11 -0700 Subject: [PATCH 111/147] Fix OOB read in Sessions.cc IP packets that have a header length that is greater than the total length of the packet cause a integer overflow, which cause range-checks to fail, which causes OOB reads. Furthermore Bro does not currently check the version field of IP packets that are read from tunnels. I added this check - otherwhise Bro reports bogus IP information in its error messages, just converting the data from the place where the IP information is supposed to be to IPs. This behavior brings us closer to what other software (e.g. Wireshark) displays in these cases. --- src/Sessions.cc | 36 +- src/Sessions.h | 8 +- .../protocol/ayiya/ayiya-analyzer.pac | 5 + .../protocol/gtpv1/gtpv1-analyzer.pac | 3 + src/analyzer/protocol/teredo/Teredo.cc | 2 +- .../Baseline/core.ip-broken-header/weird.log | 465 ++++++++++++++++++ testing/btest/Baseline/core.truncation/output | 50 +- .../core.tunnels.ip-in-ip-version/output | 20 + .../ipv4-internally-truncated-header.pcap | Bin 0 -> 74 bytes .../trunc/ipv4-truncated-broken-header.pcap | Bin 0 -> 74 bytes .../trunc/mpls-6in6-6in6-4in6-trunc.pcap | Bin 0 -> 168 bytes .../Traces/trunc/mpls-6in6-broken.pcap.xz | Bin 0 -> 19204 bytes ...mpls-6in6-6in6-4in6-invalid-version-4.pcap | Bin 0 -> 168 bytes .../mpls-6in6-6in6-invalid-version-6.pcap | Bin 0 -> 168 bytes testing/btest/core/ip-broken-header.bro | 7 + testing/btest/core/truncation.test | 15 + .../btest/core/tunnels/ip-in-ip-version.bro | 14 + 17 files changed, 606 insertions(+), 19 deletions(-) create mode 100644 testing/btest/Baseline/core.ip-broken-header/weird.log create mode 100644 testing/btest/Baseline/core.tunnels.ip-in-ip-version/output create mode 100644 testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap create mode 100644 testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap create mode 100644 testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap create mode 100644 testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz create mode 100644 testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap create mode 100644 testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap create mode 100644 testing/btest/core/ip-broken-header.bro create mode 100644 testing/btest/core/tunnels/ip-in-ip-version.bro diff --git a/src/Sessions.cc b/src/Sessions.cc index e0a47780dd..9e69a7b37a 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -337,11 +337,24 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr return; } + // for both of these it is safe to pass ip_hdr because the presence + // is guaranteed for the functions that pass data to us. + int ip_hdr_len = ip_hdr->HdrLen(); + if ( ip_hdr_len > len ) + { + Weird("invalid_IP_header_size", ip_hdr, encapsulation); + return; + } + if ( ip_hdr_len > caplen ) + { + Weird("internally_truncated_header", ip_hdr, encapsulation); + return; + } + // Ignore if packet matches packet filter. if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) ) return; - int ip_hdr_len = ip_hdr->HdrLen(); if ( ! ignore_checksums && ip4 && ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff ) { @@ -381,6 +394,12 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr caplen = len = ip_hdr->TotalLen(); ip_hdr_len = ip_hdr->HdrLen(); + + if ( ip_hdr_len > len ) + { + Weird("invalid_IP_header_size", ip_hdr, encapsulation); + return; + } } } @@ -618,9 +637,10 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // Check for a valid inner packet first. IP_Hdr* inner = 0; int result = ParseIPPacket(caplen, data, proto, inner); - if ( result < 0 ) + if ( result == -2 ) + Weird("invalid_inner_IP_version", ip_hdr, encapsulation); + else if ( result < 0 ) Weird("truncated_inner_IP", ip_hdr, encapsulation); - else if ( result > 0 ) Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation); @@ -819,7 +839,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto, if ( caplen < (int)sizeof(struct ip6_hdr) ) return -1; - inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen); + const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt; + inner = new IP_Hdr(ip6, false, caplen); + if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 ) + return -2; } else if ( proto == IPPROTO_IPV4 ) @@ -827,7 +850,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto, if ( caplen < (int)sizeof(struct ip) ) return -1; - inner = new IP_Hdr((const struct ip*) pkt, false); + const struct ip* ip4 = (const struct ip*) pkt; + inner = new IP_Hdr(ip4, false); + if ( ip4->ip_v != 4 ) + return -2; } else diff --git a/src/Sessions.h b/src/Sessions.h index 305c9c145f..37fa81016e 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -151,8 +151,9 @@ public: /** * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4 - * or IPv6 header based on whether it's long enough to contain such a header - * and also that the payload length field of that header matches the actual + * or IPv6 header based on whether it's long enough to contain such a header, + * if version given in the header matches the proto argument, and also checks + * that the payload length field of that header matches the actual * length of \a pkt given by \a caplen. * * @param caplen The length of \a pkt in bytes. @@ -163,7 +164,8 @@ public: * if \a pkt looks like a valid IP packet or at least long enough * to hold an IP header. * @return 0 If the inner IP packet appeared valid, else -1 if \a caplen - * is greater than the supposed IP packet's payload length field or + * is greater than the supposed IP packet's payload length field, -2 + * if the version of the inner header does not match proto or * 1 if \a caplen is less than the supposed packet's payload length. * In the -1 case, \a inner may still be non-null if \a caplen was * long enough to be an IP header, and \a inner is always non-null diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac index 56fcc794bc..1d8cbe90b6 100644 --- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac +++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac @@ -59,6 +59,11 @@ flow AYIYA_Flow if ( result == 0 ) connection()->bro_analyzer()->ProtocolConfirmation(); + else if ( result == -2 ) + connection()->bro_analyzer()->ProtocolViolation( + "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(), + ${pdu.packet}.length()); + else if ( result < 0 ) connection()->bro_analyzer()->ProtocolViolation( "Truncated AYIYA", (const char*) ${pdu.packet}.data(), diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index 23281c1bb8..c0d9b6e32f 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -740,6 +740,9 @@ flow GTPv1_Flow(is_orig: bool) a->ProtocolConfirmation(); } + else if ( result == -2 ) + violate("Invalid IP version in wrapped packet", pdu); + else if ( result < 0 ) violate("Truncated GTPv1", pdu); diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc index 6ad00a82dc..663e61749d 100644 --- a/src/analyzer/protocol/teredo/Teredo.cc +++ b/src/analyzer/protocol/teredo/Teredo.cc @@ -195,7 +195,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, else { delete inner; - ProtocolViolation("Truncated Teredo", (const char*) data, len); + ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*) data, len); return; } diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log new file mode 100644 index 0000000000..a416f90e66 --- /dev/null +++ b/testing/btest/Baseline/core.ip-broken-header/weird.log @@ -0,0 +1,465 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-20-30 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557630.000000 - 255.255.0.0 0 255.255.255.223 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 255.255.0.0 0 255.255.255.237 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - - - - - ip_hdr_len_zero - F bro +1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F bro +1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F bro +1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F bro +1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F bro +1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F bro +1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F bro +1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F bro +1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F bro +1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F bro +1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F bro +1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro +1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 0.0.0.255 0 11.0.255.0 0 invalid_IP_header_size_in_tunnel - F bro +1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F bro +1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F bro +1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F bro +1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro +1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F bro +1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F bro +1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +#close 2017-10-19-17-20-30 diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 678a886c44..85acc259ff 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -3,48 +3,78 @@ #empty_field (empty) #unset_field - #path weird -#open 2015-08-31-21-35-27 +#open 2017-10-19-17-18-27 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334160095.895421 - - - - - truncated_IP - F bro -#close 2015-08-31-21-35-27 +#close 2017-10-19-17-18-28 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2015-08-31-21-35-27 +#open 2017-10-19-17-18-29 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334156241.519125 - - - - - truncated_IP - F bro -#close 2015-08-31-21-35-27 +#close 2017-10-19-17-18-30 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2015-08-31-21-35-28 +#open 2017-10-19-17-18-32 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334094648.590126 - - - - - truncated_IP - F bro -#close 2015-08-31-21-35-28 +#close 2017-10-19-17-18-32 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2015-08-31-21-35-30 +#open 2017-10-19-17-18-36 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1338328954.078361 - - - - - internally_truncated_header - F bro -#close 2015-08-31-21-35-30 +#close 2017-10-19-17-18-36 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2015-08-31-21-35-30 +#open 2017-10-19-17-18-37 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 0.000000 - - - - - truncated_link_header - F bro -#close 2015-08-31-21-35-30 +#close 2017-10-19-17-18-38 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-18-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F bro +#close 2017-10-19-17-18-40 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-18-41 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F bro +#close 2017-10-19-17-18-42 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-18-43 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F bro +#close 2017-10-19-17-18-44 diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output new file mode 100644 index 0000000000..728d8e4793 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output @@ -0,0 +1,20 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-26-34 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F bro +#close 2017-10-19-17-26-35 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-10-19-17-26-36 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro +#close 2017-10-19-17-26-37 diff --git a/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap b/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b7ba9f11f824e0a49567d0740ed0c2139dd8c177 GIT binary patch literal 74 zcmca|c+)~A1{MYcU}0bca^w#^k1XEB!=MCYw*m1LmjAC#e5f!yc+CC~2ZKKYLs9M< T1_lSVJ#~x!8f-r>ZMQZ6v$Yoo literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap b/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8dba9bb46cbad15485a17bda21ade4dc74dfa323 GIT binary patch literal 74 zcmca|c+)~A1{MYcU}0bca^w#^k1XEB!=MCYgYXrW|F2Gbs4zTu%>EDugFgdAKtpB6;` literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap b/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap new file mode 100644 index 0000000000000000000000000000000000000000..afd07cbf6b117fd058020a123b56cd8a43954f67 GIT binary patch literal 168 zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg zI2dHIX#Ka||DS=ufkE*<2>kv2KTCmugF%jk0Vv9lsR>e+3FH7(p$YiIRT;4X760e| Q$HWLUI=O_4f#LoS0H^ROvH$=8 literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz new file mode 100644 index 0000000000000000000000000000000000000000..f45d0a9a17c38a6e7a0ce91427d28ec5f99b2702 GIT binary patch literal 19204 zcmV(pK=8l)H+ooF000E$*0e?f03iVu0001VFXf}-_C-pxq@(a3#^_z9b@AIy0K zO=&R-5)T}|&IMl{UrmYbp(L0l9|ZtyuA~47nCZ0a14v0u-<`ni585RTqSYkVm%4`s z%3;KJGH{MNT%Wi40{g!37;rT@{D1bUi8|tL*QcQ@^QYuBxsn~+*yCTX+#Y9f?A&#m zE_FUA){{NeQZP=HGL)ZLLbki zHjTnL)U2eg<55zv%tn?ot@=IFQp+0h^I&(CitdF&915~xU%Fe_l##ZPQ%$X+e3a(b z9gW09iYlBu29=uh>der%cwT9+8jC$3bW)eKPb8E3xiH;Xu~I`vN$R$1BP5|}h}hF-xUFq4p185vIeU^62I*H+M;;(fHP z60=bu;o!~K2QjX!Hs z?@)1zF-hOYd0&Felis?Ym%1api;wOn^_wQaIPtRJhUS;aSG{%n_M0>0UpPy~R!jca zL(lf~j$#&arKKu`oS6xqCjqBv?(R4oDc3}Evyk)U>~4BX*-B%w*|q4YQ@Qo)8wE*@ z&8NaCHs@6gD1;9I`sS*7$x8g~$N;e8JQ@ts1$a-lOeFt>#Lxc_iz6g}ubrPz(4t9n z*`Ssscd2zLdvmgZ+E@5#hy#5?HkK#i4_304LnE zQ1J*pG}IIU{c}6`4UpcCILmn^%j&cl=0bVv?sK=568#%5Tsfp=LDAvxeIhr=F+u3w zAf8Nx5%8-S=J{xO>>n8Fsq?Ft=RfQw)Cv)z1Gtag6njC_|9;5BV+0FwmZlZxb_@iC z)j;gSPbQlZ+&ZU5S3SFwxvdHa@aG*Nkfpz@M~(f&ax6OMeH#%B!ykz*Ieca{{9+}q zo{{)Jb9C4*Jc3e`lmT=*+YIq+2evem#$`S?ST72$ZyYSr&LKuf;M1UyuZV{4TYvCi zt?!-@%LyJ}bUkj{A!ZxfJIB2{T9YDo@YKhmYk$Pd3@!1#L#$^+Es>Ma7k7k^=21Z` zdbnquGLieb{^}H-GuWW5ef*dbzRRw`@0RhBZHxBoC6r{!_4E2HGuol=6& z35CC(f8q(}ylamPREWK@<9R{n5x8);MJ=ru)H3o9wno)DXnpFe@q*4ZaoJA!w{tM{nQ zv65ckrJ)3$^WJk0P!)SPu5D3b7C#_JQ1z_YpoKcFG+%1mwfKj+Rd93yc)mzzjYbauWP{ESvjD&dHIg69GKvHqPtMX&WTuj?s*66al~57VnB4 z1XP-oW$@p)YW$$#{v*n5bOlE&4 zTuooen}ud~6oi^}_K6#vw*}J%riWFinbr`Dwn}zZ4-Fo{jO^%p8p~&N_bXCHR2{k# zJHYJh7sl@cp1LR18ds$tlZ3%b(#V5d6>cd__}!&)U&ED~Q@E|Hwwax?%;WlSOqs8F zu-A;EK2nsWFqZGfzB5u~zuS9sUFag2cU(jHIa0x2*JnTd0ZhauEPiQPCb*})2T3jO zK5cO7u%Z%%!@+;=rwzC|;_N?z8Dv)K&R$x*V>)JQ51@tJ|APYq|GZ}TvQEOFLXCJH zZ%_><8QZked<@UC+0{w+jm;q+QaWavSeUqCs(d}Z&)+JSO{#P@1`q^z-$!CSc#=;4 zc|6|Sb~M{1LqpZZV?&?%+iXNXeBp=|0YYW{e zSu{sjKGdB~;s^4qNZSrO$&}&Wrh_#4(`m(5DfPwkFEgNQ_lE>ifVNg}ro3SY3_V`m zi<4YFhcByk2gmK5+lJDDE`T#naGo48U;5ra8(P)&{TQhkFu5X+g@1wX@m+e8A7gaK zBs}+unLdJiOdK8!yLsETjEFt|cW+n#>@85(w^KvY+1J+8B$&fHm$1CeMbfpFU6Z$O z58LO@c|sHWbx?Hp$@D~*%rI_(u(EK`sgJci1WyAcx0PrWmsH0^{}PMOW$W&x4nLUQcefWyskLI8~f zI(kugN(LIR$W}&dVOfyZ)*k}s5g^J7;d0WnVpg^u-_d+A>OHoxw`jfJ$Tp_!T(b!+ zG9gR@occ3Z$15J^$Zr*^rFh0Yc3Nh-N4m`O?2f#8MGS%UFu?c)t<@oeZ90?@UgrP; zV|8THfW|WOWD3z16wkhOVNin*j**%+OVRZ#lUNdR20eYxQoWQc_`4`R@Z0M+50y5b z%!5a69KetqT*mQ024di%5}JjMkyAL}%I~=0eI+vY16Io3@QYQu7W4Z@h~sB}BM!<; zQ0yuXVEmg7v%k6e=Xw3Be8v`I)Y{l_Ei5I1T1TQ%P*%n3{kq;Pzzf;-o3ZS#GNR;s z*gn3Ei%vMlN*aN5aa!>uqY%<1f~VDv?C4PoWmWOk7K*Rz7QCSt15PG_4Hnr{I9X6{ z%fCS2{7BSUXbM$0&%0^iD>MfAD#|jfUZbtpxbnh~ijOEuZ%hijG38L~Z5@us2(ljv+KC4op&5|v55V!6R(6bTJdWs_D*i18nC z5PVWz42u*>EX(MgKeflKjhTp=9I+c3bHgq@&298__>F+>Xr8(%XO`Do2rOJY`27FH zaTg!Bl?Oa$v$mXFgX1E2~s=D#UV zXyD0KC5QUftDF#?P{o!{=*3Jgud0rSESm=d}qcYs}KL?H^j`$vhkV-x>~f z{q>(Nof;5vINFnBm#L@Q??byA9s87RO3sUC^`Jbp<1UC@x<659sx8|9q)aUp9B|=u z8r9iCVVJeuH~5&0c9Y0)&{Y+`V-ELAFa1h52OpdG!R?WcD1>!o0NWlWk>s8Ll9=lH z(dW2+Hm9XsjXC4UMkbr50f7U+kxyOqG7uYUUY?(yW$uXP~SXY!0|J<`vvAD zdA(T7sxChd!^qV4#DMQ*vd2U{K z41p{vHy-h+lS#5{_$x}{(k$g1xoAPriC|=UsVo@MWdbm9e%OQOX@6DnJq6j?su zbe;i!s_xU%1+F6Mt2zTi{3(CG2{_%lyy1hnVA~ygU5uVQ*$PJtfV>}_`@RYVDUnrl z*~J_YHb~w!nE}jt`|+2T%)C?6Euh7CfTOBKe9{dAV&khsg}WkpTk3+Ak@s_~2Iz>X z;=Ly*o}qu8T?!l-!+NlaZvATFi4p3zIF&B9m8Io9cq50fGB~8q%6O#X^C2 zmTh(wh3^0WL`%DDUZt2x?MS&K4)z$8)dpp=zL-3&YFb0^!D>cO$n^yw(0c}e6xBj$ zR8-qgmu3^*47gM6iuUFoLtOoirSP!a9-%T@Zt|PUPXVbUH&X3nW%^o^$D1 zVGX6n|0xhW3x`q-6!xbNgUk_QHd#jy-p5cpeNS|m^ltn4PgjwzKy@l`7o&cxfjQ%; z$tA?kF_NEwdscWqYdio6K5j#6%+ZtK z^AisR0z&NW=(Cpr!8Y{;*8j-;d((#z8)02msjtDREMU`=+st-1FF5l_4jF?@n297^@E2hSoLl29{ zJ^85=xF0}o2Z=0s{Yg#Ai>s-dttrHW7z*Ho;H-AVKAsR7(~AeJ2Sgvh5djy9tY!eo z@glt2B$;_VHmtuyP8b#AeDlMbuM^=mj@@2mLP1feW=F2`1@7C4g@`{GISl(fCcVms zy1ybL+s?>bCd`drW^*>&{?Zl!i^qV(4};ef52NTDJn$q_LI@&cI~KnHioZ)iz7FyK zddgp@-TL?7BS2j()|8kcR!~T;*LLjJe67z$2w7F$Tuvt&J%p+_VPQooS04PKPXY|< zETJ~sQ?_tI>|rODjC0qrMNL{8Y}8nykd9Q1>eHAUn#RGEW#D{3%( zT$cr|)Y;#c3a%AxcPUR?$!(O9a3rV|Z8-GZ(epdvO3M6m{(&*CnGcK-LJ%&o{v$EG z`(Z6%pj7-QrDHNxOK17JJ<%xESEJ#%E>96sND~Um%uQm#${F&++{-hLAx7cK?HB07 zwpWGeO^?1Gb*~ZzbE{bjGcR^|LNs~T6gxTqNG!K!y4q!l@vkN?*3{(BW714M)0d~? zb~-N|p3`!P5lcvu#|?_T1f+gr9Shxvon;~lIAg4D?G-D7;?WbH^LntEMQnoVb5Zf8 z8@2Wlseiock;H;cbMh;Ix~HCO=6Zzi`lc>3v2IKgo-0c%i+K?C>9yE!Ie;onW$!u!Z7~GVYk*kSew|ZLtfBu~U zHH^;bBw&#&*zE+6mNp|IK!?F(_ACsIAA&EI$S|D(6x~{2NVx>#BHrEkh~8T!L=6rd{AFyY^fofS)*VTjkkaJu~AArnEYd$A{K92WW(W^O} zS7U-z8-QZji+d26AUlyxy_((t7a7^@)d<)-(;liRADAdFbs?W92@__-SLFI-8>N~8 zJ_$GC*vicbR}Q@S3?hZKfKMfx?P2fjgOCzdKfFu|mr)>sDI`nV(nbr{SD7%Rn!6Z; zq6F)+o>)(&ncj(kSYbX0VcA!JCO?`0+n`GevTzfso`+#oxKKQPu4QIQ^JdasB0)>H z9hdGm@K(Dta9@pouGMyd|C=pu;UkCdYOiPOsJ4Uw*2`kt1AatLH|%%G*rP!kDoD8U zE<8ykQ1MZW@1{fY+Kv5*!|fobDFXtHG!W&ooLT5`0eQxlomY^EDuwrGMhP8T4f`vv zI6T$e$;=n;5Y4LQ)}76r=528x>T z3o~Sp{1#8nExX99G5QPG5XKRapPffiziDa~Hfj`4a%T*6JEy$q_}L4;aMz9e`h)+* zfy8vw=pHzlj5h*;&GV&b4;X`*i}ubDnxxr@^4lPCjz%&69?|b)G`_~*c1!QTw)(Aw z97V+yBuZ&`e8zlJ(CuPG2dljjDduuLllSAcQ!~xEGy%b1c%S7I4T|QTJis9HlUc>M z4mfOQ7CeOgqXQzwVWCObG7DDt!DW?;HS>%Vk2Vr=Fr!RbE|(CGUpaOK5FI;q$&%?_ zx?df^zdso8N4LfhG>)o;6lmi9-TSP&_8B-&zIrQX)eu3);3Z?;`$4DqU1n)d1YjnL z=8nxj9U#lcpKg12T-*4U>A0|)xn=c}4%{9Jt%Y^BIyT5M+w>P?i-|QK<( z4ed=Z(>U&BLmmN>zJhu)L>t&jQ@wd|^5=!Ee2HxrpR+ z6B^Dmno+AtF<54^p_! zgVN0;_0W27)Rw0n8RbKQ<*Ldk*`7;4P9jaXtM;`$7`NddY8Xvs!cz2nyc%H#KP^8SOtpEaciclA7?(W26Uj? zgn;W}UTYJQ;$hELs{zyzbpL4!-!4}L^Yc_>#3UTtr-zrGKOvqBqb3NIL&Q|!oyLK@ ztq!1L5+?twy)v;WJahc*oIzMt4xydRiyw~b8=>jPf0C5=7(;FmowZ9m!YBvF8vct= z>J95OfDEcXRGO2~1-`k@iyYq}l*C=UKVxnKEBd}tqLwD4CGA+t1{`EzW*PfBYaUI{ z$zq3Vzmo$5DJ$`|k=d2APHWn|O8=z^`hlnql|vImRq1vVL|;HkA2y$I0ZFnskP3v$ zjLLityjuGq^I^)6VvqJ0`eBHQ`bXw@3-n$6bST_BVtMylhcK@+kWW@$_JgHjnir)e zuvo-%Of=I04kC*d^da9QJA3Zq+hhrroP@E)CspV4MjauQ<6nl=BQthLuD|Xa3R66L zQsjqXUPa*>&#~rT{zX0boxv65Z+GI?0L4E$>f+XR&bzFrOAL@CGoc> zeyFyisQcr=$q!jZ&IX(LLGfaCyGHO`N&~IyEuJ*e$P7+>}MF&jnBuI6d{(eq0QN zX&6OmP&w{-ir1HjjH|_xq;Ow`onE%OM0A^7++!4O1wXp>#7fi!EB?1fYK`Y3 z^04^DLRi<_)!*d0ntE`5ruzZsLZcdQpwkf#jFhfYet#9dcd-Z>KZI6FZ5(uoQDrZx zFYEN5<4wId5}Fo(6Dzl`Hhc(jBO{KVlJ6#{O_L*Mt)en}$?l6khJNzXD=T6u>p8+# z;T^fii=TXzV<-MPefzoe9g$Ars58iq3jlN&l-Z;--3FT+kVn_F1AxB0_)L6^{xs2=VwDOU??1Ff3 z9Nd^F@}_1dVl8&1I6L-@!5#@kQ9(*d_&^r+&QxVIna`6;%1cS;K{D$Z-I@}LKaRLz z&>_Oh;L?x8XAikxEuQOZpGN|@fVUcOPza-TA8)6*6Drt>5~&*R#L%%duwziUwiuKE zTS7+)?X+$AQ2u2m%#x=;sQsm*rf2`Y4mL%orss<^p&mhF0;igKxF({C^5`HjQTBsw z?Z+;nYltvp2OR>O#UeIcMA0fES__71jVuiFlFH#_}A?l zuvNTQ%(`CTrXeGba!$u2bp0!>yCx5yP`=rYaSRFYp11P!$vcRcP3ngL3hILdLw&%U>(3Ji$0+gI49k5}KDjC4^%cZCZ|Uavq-ArGrl< zsefeI_iIANO$c!6i#}g@r7n#ZbnbL3l~zsZ_inIUGUV7KR1G(1L`+9o3P(4k!bZ!{ zf+wc*%Gn1a5%pSHt2ui-HT8HxDumC(>VQa7XeS5DK^FsY{4Wh{aVN@&=6Qd1^fxwZ z*+RL`R-1c{g@?&C56Z+BY-=v_&g2+b>R2v86&U7P8J^x*n$V_O>wrk*uzzJ_^pvDe zY6&;2CbLCLeSwnGIb;Qt9yuqq2bY){vG2(Zw74B%BAtpA<#C2WHeO+*ciU6D!au2k zI;2;LuVOAxU|#499Gz{vWhSu-TqmVv^6y$Apro*BYpzItg%;rhv%>&ZaV6V?>NI z1_yPyRjpER0Mti`<$APtTy6y3XtUF&r~F&eT5r2 zmA7SRi0{0Qkv`i=VKUK1FUl6Mw3|Nl=XJ4AqAr-W31>~z6^c#K&GJcfhYg6hhLjnJ zoc}2dAJ!pwxtY9g@FaR^QGtAESX<xT6C;lT=o}N_mzFuk{W-G0l-0y2Qdrw};*A zRb)mBg8n$ByS+SWuo;@_1mX`18h_0=doFJNk#t6T1S;9a&S1UtAygfZVx+#T>Xh6J zAP%8v2zv}j_T`(oD?7tDbw{V#d?@fd?zm*CEkLm=s9CI1l9^;M6p|xC5OG$GTQu&R zhA55xr+E;j;jKkmlH&=?ILxpyYY9Q-Ka8y}myaNAv-Z?EliIUoQi~UJ@u(jB5l}C( zCaHNZnj`*5H+dZItGuZI$q}pH|AN`D@rsZ-0g=gYp^V6y=%mDyG1{oD)J`0Yy$#0O zMvlKcOmya~oZGD-zT`XAK0&gah+QKM|;C$LE)1&bwl>V_V`d%Ts&&M+0n6gJXTI z{ekkjva`M1?eUB%xlLZU+gd_X;sh3UaUA!$na>?9#a=$AE*#P3z~OHygD0RgI%H~$uM zaUV>N-_H|dKFgFP{;ZbUnFGllMzo#pk?4p+}4_+e$jP zk}Ak{v#tP=>NKFt3vdjTV%V^E|6eBu7?lfa9T+yNwEanLR~Z7gk8UrvIi;(u2`rZf zH>Z#cj^M(#*vA4r5MBw8x(aoRC|vcLv`hue?>2|TGVFY@%r^PfHwGcsrBrMqJbkk2 z`^b61+&;dddvi73Z1-TTo>z{nB6KRNl>X5CImhZqqJ5-NcT2QC!yNtIALlWom4crj z;h_Ri-u`llhFCgd82DOLiptVEc|6^nwHR7b_eP5FXf7eG+LtJSpy>6G)Em2nOB4)PA93DDsfCeRBS>FzG9N1%V+fCU5 zIW?SHs(LK9?k1PklL~-6S(PFH7ucWlR$-Vkv;Z$o%hq?X+lX2IGwl3Icf`=p{HtNrgR=-m+IkABKX{Fg-5 znavHpcoF)6a9B9%*9kn7iPV$JxJ2eZh>&;Ihxq+qrBAgEPCPA5$1<)CD7Cmawv!~6GtY-J~g%9pcKKtO_v7B-yvl$f_?%nSp+KopiE9$+1#)Kbkj?xstL!+e}4@avIt81$h!x&BY*ZYV&S zseCzdJw7tWU}_e!a2Jj(qXt5C(@R8;EU<8hVo=WB%FmS7p2GJ9RF&2Hn0){GV6*ac zcd5qV4lPDJ);R+0L7S*<^|xNE?N2pa6ta+j}wQ zSY%pMRTeJO7)KCAD<|uzZJ%%2%{S|4JR$I0h-SYhhm1F6`h3Q$<99x~qKDnOa0$(x zc_o(*!TjsO__lZqHv>wgQ1Xz^1oll|Oqj$TD{m%KEq!`JhBM+wztq_+u$Ery0-@pM zI#(Fp?+Dh=>sO)R0+u*~c#&272ulIJVB*hyi%Zh~Ct{WI;59H*<=XA ztvqOUjZMIu5Ya?I$7cH5&MkSY!tE(yIlg$z_g^Y!=R(cc+Fgkv4kvtPj3Kq9kZcN8 zq{v1jrWl3yc&iF{x=gPj&|F?qrx|sk>G5oqzo$kr(zw^kth}WBZ>MH z0P1Q39&IwWk$zJw>8E+id2kZqR*|7q&bNpP2kTIfbi8A$ICNaep6SQ^Hp;7wQ=KBP;g| z*S6!qoGWE0$r<>!>dNvJ{dJ`qi5WSX6!j7yjXk%JWGnN#pa~=pfS%M7c|VRqm6o_! zqU;AcH$-D&5z$xxH{!lbfovfr=^Fg<4%C|LI+^MdOCMK+p`Vr*mKs<54dB?F|| z*bAGoT;)ltvJNCLS^1+!JJg8UHY&J|gwQylEX<3dAtC(zrS$~EO+`DA`28TGNdcYw zj&4oQ^=u#Lo~aogPnJx}v}45Q*67Z`QtQipL*5<&W#w=;PyK&QhP_+5C1K$SOy&j| z!(y<*9o`Xc!qGh7?OUsTM@{5)zv@|i^l=hsmGrk2TdKZX{$x(O$YGpZ6KJw(P}Br? zUFih#o0L6;r^j$*DE25XFY^B=EVO4TgL*TcOU%SGShq(ezAm;Y^#$BhIHC9XyExMZ zBH5-O)hJfwKp?R%S(BCg`fQg|p!adas2_HnNl~Q$$AbxTcSnhcTYEH8i`X!+KYP3` zus>oDWzt!EsYY8jDE^u5&_Z%%ompW*<%o?XeU`ewgr1H0*w9_a^Ycp1LtO0>EDU&a zul9F=$^azM1`fwrj+2iS`P3yN^sY&`1FFCKO8FbE5V9U}kdz6M?5)+h+99S4kFK|E+M$9z-$c|F z>A1*INF-Jn+g-xihPp$ypgcsPJe!k2QfxVCW{N4uv=GT~PY+1FMzWDHaJsgN3gEA^qvWnVTDsYkgc&Og%&Zzn1ig8WZ)h0q6=PBIJ!QP&6!)Hl( zjlmu4G0_8wEh^x(p>lHbQR4C%7&N@|dsOV9X>-_AwPBz9o(x*X>4?Wkv``YUOon}> zx&gY4eyrl0=g`wC;DdtO?|9=Diws-}Z@T$U^VsPOM~0`TTPimPETaIcv$Mdxf~ zKk5l|aPvLH@mVjOU_nLA*V?nh-iCmwe>-+mgl1^|)2T zkgLTN`5z`A)|t(Hj54*VoH25BUIKei;R_i_580nFWCXC*W0g5sPlNlt#}9cNOs`KD zG&K?vi>B(Q0VLU45jl2pl<%%4gCWb25|k zuRLim)39KXzU#alC91p}DDt{hUqAZoMUd~tdNtqQVZTHXDgYMnv}3{P9w@`BRB(-e z_ATqyzL2E_Yl)yiTZaY2v&-AI`?kH6Ik0K`CZtG*_XzG;p`JNDCR96lRPH!n zq7#?w!7#H>m{G=%V%!bzqf(6T%-Y^#VcLo?+D0>i%KhVOKG~z;qSq=# z%0TReqt>qGx^})IDZ?7%g*6e5c4S1;)Q!I1>xOe$VHu!kqz+zrYB-;y48z`uI6J{kGU{X^QC z`?EIb5^MTW(2P0FU&TS*MfMHO@J0!1;6F`bUH~~%h8$J4s5aaXsM1*K;6FMZV7gr~ zae4VUSQ0$In2(DVU0q{M=<^ZB!D%B}^5T<$XP0EP#Z%}dqLe+`!FR0MW@cwC&M6vw z(yqlT3BgG!=V4DKaFU&Uu&Z3WeOz2`^wL8wpb~MXUb~}fEX{OIdL6)M|LgID99@n5 z`nE5f&0uGaq}jMHaD)lqMXmE%KEf>u%rtFUwUQSe*3@Oc8X2)T<6mnpol zAMLBfGr&3jA31{3WpO5Alv zO#fut-6a!HS*o$64FqSJaH&i6>7>uLf4#oF53TmOLi=59nZH^rKh>S12J^>A1qQzl zW%*L)BO*7)q~42U(!NXUil1cAnGxD~&^9on*^FX+Q%#u(J!fp+xl$w@L5GHY=)J+28}7Oz2s!{2&$|Cx*jNP^;1_UW zWHUcQV{k;V@3Sn`4z_m)c+eWi)@49ewLJ=^{rXYgRsAb5*XclYh{(RoON>xjjsipr z+e}i&4G4x#h9@J~kMmd1e#%U_0GZ3V#zsB}G2F45GI3iuk#~z>LP97aA{_8_1FCDC zp$)g{i@d@X7u=tg_%&w{ypn5nx{-Alr+?{yYM@x33Y1R-odVZfe|znv=XS43P97`s zHcpGeL3>cvfeI`5Pkm^gAOvNR1F`}Q0|e%f;sMVxx8?yn9q|;|5XLgiS(HJdC7@84 zxps$lEfmz=@7$_m$N&zMnVRIQSBKO$LZlS|)wK%$T8lwzRspj-%XO~=D4|H_p7rfJ zWp6XHi7*BkaQNWSahbmed`v&9T^{);B=(5)qK)WNr?jj};0iRE;-vj5e}tmcxDPu< zb8roIpTX3&r9)hOmgGLdR5qlwCK9*~@e^@h9gZwBwQU{HFsH3d`c4uv-}UwV;pSRj zu@@f)1(<%PjhpYm+A;ud?1YOQ9>T@NNib-aZk9v)l?N|t7Is$h)3p;H(>?ZV=vK&> zL46~O_*l?gE|}zoW_20JFX?2c2?rk_7?;0n2~*~o`s!Ro!+RuhB|adIm~U_hC=1|@ z??78TjH?S&j}19qM_tER)4OK}zd^j(o=;5%7*_*RHQ-?B-MPaUt|sSIQA0_{cQvxb zxRcgzOyPpZ+8`+?j+`4|Ar}b0NFJfsX)*YcH}3l2HtB2#7*i8vE0kLyITA}qQATp$ z$ugt*9PnQm+V!Yj+wj#8+p@bRvTu0vrjK2W(=D`7e3qDR`mLU$y|sdY1okRM0E!ep zGzUdnc-kxF)EI(wjZREyRfY!p^rWyrz_FT^9Y%9rc)3f`F`1NXL9KcFaOE6!YU(y5 zik~y}9yW zPfkx!rpy$6U!B)Ln9S9ldsf9hSdTW@Emo~xPghan!x0g$8NpdLI#)EgOUk;d5w3>c zvmd||iBu?jzH)64+D9r}A_uo-snEaT(+-TrCXAi5&%-$&%oyP;pn)nmtFrsNuG^7#`v8{Js8r=}c47R6 zA4S@}1O{3vVM{c(!MLi;#Uw2^cuG`g6JGW@yo%qHnc|xhxdy3IhQ4dRArIgDgXoqfATuA#s3_|FQ5jLg(hhP;5 z{EvdCf;wpqhz=)uq`6MJCoSQX)EcrUCp(s_-$5^oy6Qd@DY9qFMjeS&-H8XArNaGe zXy4~`WC!}qN<_2Y_pkn1L5q=mfcJSLRW#V*^GL}yoF9>&;>L}!waA3UYec_nGR^}V zZSh2MHB&stUnFN{kX|J7lL|c}xBkO-Iq#2U4|pXSv2~=lQQDGh(k-}qg?80QyGoER zdXp3b)h;MZiUXPOnJLu8D~8-6=U$`+gK^JK6-IsbMv1?$F%10e zC_IzmC$bTF+Lvz?t*#>~sB2Maf2SV6bgW-w%1=?LIy2Cd_;>pPCGYP{AHeF4vZ}dr z1NBDNa`h4kMTLgl>Y-ztyN_1&J5qXaP}Z9)1+ln4nr>EbG!_#E=G6j^4(H(qoO(32 z&zn+uP%Pglqp-1SlckjxSjai3gTL{_Q29Hdbt~KWZF&pitJ*OIn1k@#5;$W8hNnB8 zVqNLJO8ih_lFt8@dy4ext=_2A*H0~wmu+zDcs!ERWSOc846G9pFw+}V*c0!kL>{YG zGR|A91R8QTH^Je1Mei(`%OdM&qdgk(B2VUF2dW!Aq(>L7IieNe8+tUj&PSF33K$wW zjb+9CU5oVx013RZZxec093F|Vs+aOpsNos+JC1`A!&zeJ<84#`uf`2xcE;IpNaI{! zO_)0;IW=~vw1M=3<`to#QRsT87>#==Scen8<9Z@e5kkmBX>SW0u z3+d4GVeW^rrc_P#_3xcFGf)x{z^(YGA1K?N7-(HthRak7$7LuhzXaD}5w>SpdU9cE z^=Gp-elF)zj!*O@p|xC+izO=E1}=uV4R^55{yA7t!fDyR2p4tG2lAQ#ed7loZ%Zl$ z`07qVCO!wZaA|7XXHqYAm*cUjizPS)AGY)?T)VJ zFRo23VI6e}F99SNu%|+I*R;V_6(KL!#EnJZ80>4N}JFx3n*Q}-TNLIABZ{ssx@`ti{*OKG6;tz9R z8Qgx?A_^k_XowLr1}N~T^2CKs?btg4*G2q1J|C#mOwJFqp7BWkQ+P2`)wP^gVne=4 zGW(1}@R{Q8OoB<-bLPr449}ni8r5M~^b}F?DoR1N(U3RQDYgH}Q>%FEaAV+xPGSq3 zP|R&=_g1C7t`A%oJPPIP|L2b-SNI-{UdEcxAxkkVcS5BF3OhSR>gtWC%a6n=&IFgx zV>Yg`FWe6f8J8dP85k;#W~qr-ff;swA79**B-A_2?@S(Pk*87=@R@I@(6tuYAI2^2HMKmb)g!qg}j&J!*VZOu#oaC zlJxo^13Xjz*jZn{XbT4CCsG=*q;}3FYoHmSlV4m7s(!QV)9#zCF*{nq16MT}pN`Az zKGs53eG>Gqb0wavs(vJP8d`&YUW7z^U*h6?bS83#am<&;# zQ+Pnm{iMv=nW8JE7K@{k?EfCogUdwtNn{9pvz@;gR@0^1lK9bw4PauFwqV|kk}9)D zAu>rJ4b8+-EnO$?xbK$W&>rvpOu&CH89eh`gxmCaJ2czkE#8+WFN*c2FfjgC#U%ih z@}KJxwq30x?COX(`VosVXt7ll73}5K2=%`1GxvZs3X%}xiqIF58{{|R!2fVKwdOfo zKs%mhN+$kcQhAT33(dAoouH56fpONvldU@!;M39_(3t>eB@KW|ND=03`{QipolRgq zX~QO`!v*A8sBu&%!$E>r2{Vze64BYZw?xkS`El)G7x-@Z4Jo3_ftthC-Hue&sTy8; zR7#&|V6b95;;Ga!I=ECN_rh}}EyFKXc+tXW^FWh?&CAz(Xnqp=ET)qndi~QcgvR z2Ku12DjqcZT7;rL4p}ib0^`U63*HVM>`Hz3?&L-h>LfDjln%HNdZ1?fiHuB& z{kq#t?R3x1vjUAS0e|3u`F8d#f*PR&gBJrme~KYvp~KglCL6G0pj8dl$joW(Xnc?V?etseZ|d!8G{8IA&)!Xtd_??dadole~7E*bg-+XGSYBaQ`sGnx{))%KCqU zY2G#Z)KIxV;f#~q6e0Q3z8?q_e*pH|{}TcA3JUd$6C)e{3Lwt17j13otWD258ptkF zvf674+tiD$zi}4TLw*WDt~6%XS3RtR4gAzBUvS&}im05hm!+`CI7A~5T66#MY{^r> zNy{^{15xlEQ+AY@xI--hA8Oy3B;EJknUfp2YgkKxG%>rFm)g(XGpdzdDR@_CQ+9cWQ+X;M1?)SR8X- zG}YhR*R4HmPa25lT-js6kxCv6trbN zs|^j%6@kV4hg`k-D*VmzR*Qf7x7!@_h~VK0q@4E(+{g)Ts%9uslFFOBE8~-yTD>{i z?kcu(c8}S1T_dk1=FgpdGyFW}l{d)k%oWQ9>i>-%uHs_iU$(mJ7Wk~;STHJ63@Myl z{vJG6o!ZXbm90-~QUb0qYIZ48uY35xSTxOD&dWlXJD)23Iq_Qt#G z8II{Lc*Do=iebbX11(l1w$<>+%y%k?C-wI@4WC00uW+I^W^*?BVcwl);`irto2+5@ zLv|tXWSP^? z0ZOZE2pCVk5K(?bfozZKz-V?1m-8U;lts*;8TBOuFZy5jrAuD5 z##o!*6b_2|)B~x!TUik}V@rW%h*5^dXTvEnc)e8inteCHMNKHS(`(Ji*XA=v_N86E zFeo11Bo}Ei#$PJ16!z(2YteQD$_Ot*kZWazeIrkxn3I9dyvfj+GGG8^Efq!T7#NV3 zlk4*bE8`i#k$5zYCS!z#jR?!2gcxSqy-Y*@GeVd{AbDoAv4|{C{v+cq>(_Ps%@tJx zrd=g@TrX0q*udjRq}zD%3I4T2NTN?D#a%kzCC8Em9QvZNW_C_F%EUnaZ_%A8@L#T8 zOP9L+PgUYmz0C%|H_YgwV2wFs#S1v&j?4*=zowKl*pPgEE6wT%Rbj(4`s35n+XqJI zj-xkdB@G@qNqnIk_%*dW;xA+6B)J_ekv-7UjMRSyTCE!&T@hH$WMv9*=UP+2mNMxX zeF^V3dE@;QHRV)jJ(VSjO<)`lOmGqjtEX;UFjLjm3%o#iYbS7E#B%3&oq@|^yxp8E zqDaS*K1iQzxjV>5T1UC+mFAw%gCvUasyr1>&S$a{$O~#$IKn&`joq*nQc+DY8Ndy@z8&j!aI!w ztYe=cRs8{PlJMvD;Dh=%`10>%^J38#Zle6i+}{vGu6ZNcy($t)V#(&PW1(u=!M{>` zcIanjwgXH6oN-Y{&SRQ4?CPl98Ds`WigNILL<5~;uF;gMS8JEpIm}GFQQ6h#KX;TQ zJ*Y66t%4)n?NG9vAMu-9(f)D#r{jmI<{uV)jJfRNNvcFP$jP$3e>3H3)%XN2FK-AC z59fi>P{h%)a(v6!R5T8KoBBiEdzT~X*{k~`BGIy)=6TLSR+<_)O&|SNWq;paA<5%y z6Z0|dR2)-TV9Cu&hz2-=%MH8e`v9`(I07<)|2WT2-*B4G9d5V{FgS}o0#3LPOjCU= zsyrixJFTZ-spq@-!||>^h4C~oB=>Mc3fkV%k8plK>4b91)=~4kPIkpOfsmcawzm2N z7S3nfa{m&3n4$y}@18jC$3Bb6smJY?i+2jkp*kT_rsBZqc&P?mzBrh-tGEM$p5aGB zay4Py?>Sbu(hbOIXiqlC4vqGCcSURmdhlR#&J#aF{K(^h<+Xi>Cc`Dn8`UWR32j?7 zm|;m@{R)$?|hgVBefMTjy@%{eIYhozLtTPCLtVgHZ-T=l?{ z@0$+sCxr#3RGkpL5yj;S9o?QZ?k%bdM|kcTwa+9{2>b)m6QwitrBe&TAb>{|lT*J8 z1x-*p-Br3AO{na%hO%AqU+QdtqXH~S4PL-aF(f{AMr+zRJHFO6aNcpcAI1B4&B#7k zJEdXvbWZ(iIxF{+dW%)8XMirb0xACf4SkNX8UhEdj@duVKFq@b>=KQ^VJZqniG~Uc zo9%yGo~}QJ$1lbE-YWS`PLK4dsGTPwODyWvB)xO-*T~Vs4W33}?>u48hhZnONYjF0 z!usD$D*HE`a18Fb0*Y>%Li*GQA|3EMh?^|@!UY-uh;Zik#Tv*aNX6^F?*aW6b38?9 z6KDb=T9Fcsh|kAQbDIIMD}=DUF0+3EKpUf~6eFNf++O2q5Nqg9&veum(#j-4?K1zA zhnEU*oXd->{4@`auhYSvJuNdG?29T?QW=po$gPIjk{gZ!Zk%FjJvZo<%?!Wxs2M*e zJIr91d0fz$w(dOFi9$QDCCaT>RSrlPznoa)QH&qDC+iT|XdxPQp?|KkD zHRIPG+TmR3@jdYq#<@AaCtm^O0FY#ird_t9Q@+6>Bwjuks7j-7W_pqzQ~})N7@-h-%k^nY9?eG zhwP(^$ud|*4fQK)`_7y9m9AegG7|__aFIF^l2&46^PL;nmatFfF82iLrOp z9RUv8TNDG~%sRV*u&6|V@_pHz=<@^4!A8;mS#%sVm#Q=i9!XSM>Y3*pz=W3u&8mc0 zmqETu)w2!88boYQDm04|bWpQ{xvdxMDw7mak6tWaEe#6n8%dPXD8H8lL+ZQOenURK zs$x2|l#x!0fNy6@QOAR&3P2%@Ts!w)5|U!$iP?AVT{`pjMq#C4hX#NEqij@q7b=W{ z<`v?~pFkn$#sko1M5E5y&pKG&XTBCu&%c|k~G|p^IC!j3Sgl+ z+2SbaF63qeT(qzI10d!t%MfHoDE*N{d4;-3bWj$F!p2`JrJ4U$HEX9=L$0Y2iuwcu zQC6nDNJCk%}ghR1N=u1v;Y7A$B`qz fCo2Y<00G{W0mkeP1TAg7vBYQl0ssI200dcD+Y3H7 literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a71c0453c2aee54ea70d49ee021cdc2ca8e86a13 GIT binary patch literal 168 zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg zI2dHIX#Ka||DS=ufkE*<2>kv2KTCmugF%jk0Vv9lsR>e+3FH7(p$VLat1@B(D*n&^ QkBJdzbaDw71H=6v0JiWeG5`Po literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..558809258848a94e744a830335a8ccbcb3917fdc GIT binary patch literal 168 zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg zI2dHIX#Ka||DS=ufkE*<2>kv2|CIs*2ZJ0715lJ9Qxl{t6UYIoLKE> output +# Truncated packet where the length of the IP header is larger than the total +# packet length +# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap +# @TEST-EXEC: cat weird.log >> output + +# Truncated packet where the captured length is big enough for the ip header +# struct, but not large enough to capture the full header length (with options) +# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap +# @TEST-EXEC: cat weird.log >> output + +# Truncated packet where the length of the IP header is larger than the total +# packet length inside several tunnels +# @TEST-EXEC: bro -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap +# @TEST-EXEC: cat weird.log >> output + # @TEST-EXEC: btest-diff output diff --git a/testing/btest/core/tunnels/ip-in-ip-version.bro b/testing/btest/core/tunnels/ip-in-ip-version.bro new file mode 100644 index 0000000000..35d633c8fe --- /dev/null +++ b/testing/btest/core/tunnels/ip-in-ip-version.bro @@ -0,0 +1,14 @@ +# Trace in we have mpls->ip6->ip6->ip4 where the ip4 packet +# has an invalid IP version. +# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap +# @TEST-EXEC: mv weird.log output + +# Trace in which we have mpls->ip6->ip6 where the ip6 packet +# has an invalid IP version. +# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-invalid-version-6.pcap +# @TEST-EXEC: cat weird.log >> output + +# @TEST-EXEC: btest-diff output + +@load base/frameworks/notice/weird.bro + From 3accfabdfe041cbeef6a58ef98974cc25c0b70b3 Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Mon, 23 Oct 2017 15:10:01 -0700 Subject: [PATCH 112/147] Minor Bro docs tweaks for correctness and readability - The protocol seemed to be missing from two frame inclusions, throwing an error message when viewing the page locally. Add "https:". - Reduce whitespace around inline code blocks, where 2em seems really large. --- doc/_static/broxygen.css | 12 +++++------- doc/_templates/layout.html | 4 ++-- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/doc/_static/broxygen.css b/doc/_static/broxygen.css index 5259c3adfc..ad06b0f9d9 100644 --- a/doc/_static/broxygen.css +++ b/doc/_static/broxygen.css @@ -152,12 +152,10 @@ sup, sub { pre, code { white-space: pre; - overflow: auto; - margin-left: 2em; - margin-right: 2em; - margin-top: .5em; - margin-bottom: 1.5em; - word-wrap: normal; + overflow: auto; + margin-left: 0.25em; + margin-right: 0.25em; + word-wrap: normal; } pre, code, tt { @@ -482,4 +480,4 @@ li { .btest-cmd .code pre, .btest-include .code pre { margin-left: 0px; -} \ No newline at end of file +} diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html index 3df56a12ff..4debd1d90e 100644 --- a/doc/_templates/layout.html +++ b/doc/_templates/layout.html @@ -10,7 +10,7 @@ {% endblock %} {% block header %} - {% endblock %} @@ -108,6 +108,6 @@ {% endblock %} {% block footer %} - {% endblock %} From 28498f752bcbedf113bc46f555fa611a6fb0633b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 18 Oct 2017 15:57:40 -0700 Subject: [PATCH 113/147] Fix use-after-free in Trigger.cc timeout_val is used _right_ after it is Unref'd. --- src/Trigger.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Trigger.cc b/src/Trigger.cc index 772a991791..3867c607fd 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -136,12 +136,12 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts, if ( timeout_val ) { - Unref(timeout_val); timeout_value = timeout_val->AsInterval(); + Unref(timeout_val); } // Make sure we don't get deleted if somebody calls a method like - // Timeout() while evaluating the trigger. + // Timeout() while evaluating the trigger. Ref(this); if ( ! Eval() && timeout_value >= 0 ) From 5b889360705120c9061390214881ea376819c669 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 24 Oct 2017 10:29:34 -0700 Subject: [PATCH 114/147] Fix assignments to event arguments becoming visible to subsequent handlers. It's well known that changes to mutable event arguments, like tables, become visible to all places where those values are used, including subsequent handlers of the same event. However, there's a related case that's more suprising: simply assigning *a new value* to an event argument passes through, too. This commit fixes that behaviour. (We even had a btest with a baseline reflecting the problen). --- aux/btest | 2 +- src/Func.cc | 22 +++++++++++++++---- .../Baseline/core.event-arg-reuse/output | 2 ++ .../Baseline/signatures.load-sigs/output | 2 +- testing/btest/core/event-arg-reuse.bro | 20 +++++++++++++++++ 5 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/core.event-arg-reuse/output create mode 100644 testing/btest/core/event-arg-reuse.bro diff --git a/aux/btest b/aux/btest index 154dd9f9b2..56a368491d 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393 +Subproject commit 56a368491d8ef3ef527061b353875099070148ad diff --git a/src/Func.cc b/src/Func.cc index 88da9a7a04..32cc9faf5a 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -383,11 +383,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const FType()->FlavorString().c_str(), d.Description()); } - loop_over_list(*args, i) - f->SetElement(i, (*args)[i]); - stmt_flow_type flow = FLOW_NEXT; - Val* result = 0; for ( size_t i = 0; i < bodies.size(); ++i ) @@ -397,6 +393,19 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const bodies[i].stmts->GetLocationInfo()); Unref(result); + + loop_over_list(*args, j) + { + Val* arg = (*args)[j]; + if ( f->NthElement(j) != arg ) + { + // Either not yet set, or somebody reassigned + // the frame slot. + Ref(arg); + f->SetElement(j, arg); + } + } + f->Reset(args->length()); try @@ -434,6 +443,11 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const } } + // We have an extra Ref for each argument (so that they don't get + // deleted between bodies), release that. + loop_over_list(*args, k) + Unref((*args)[k]); + if ( Flavor() == FUNC_FLAVOR_HOOK ) { if ( ! result ) diff --git a/testing/btest/Baseline/core.event-arg-reuse/output b/testing/btest/Baseline/core.event-arg-reuse/output new file mode 100644 index 0000000000..52024ab5f2 --- /dev/null +++ b/testing/btest/Baseline/core.event-arg-reuse/output @@ -0,0 +1,2 @@ +f1, 2 +f2, 1 diff --git a/testing/btest/Baseline/signatures.load-sigs/output b/testing/btest/Baseline/signatures.load-sigs/output index 52e0eeb92c..d58d0c0a39 100644 --- a/testing/btest/Baseline/signatures.load-sigs/output +++ b/testing/btest/Baseline/signatures.load-sigs/output @@ -1,3 +1,3 @@ [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp] works -GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck... +GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15\x0d\x0aAccept: image/png,image/*;q=0.8,*/*;q=0.5\x0d\x0aAccept-Language: en-us,en;q=0.5\x0d\x0aAccept-Encoding: gzip,deflate\x0d\x0aAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\x0d\x0aKeep-Alive: 115\x0d\x0aConnection: keep-alive\x0d\x0aReferer: http://www.wikipedia.org/\x0d\x0aIf-Modified-Since: Fri, 05 Nov 2010 16:00:03 GMT\x0d\x0aIf-None-Match: "97a-494505e0c46c0"\x0d\x0aCache-Control: max-age=0\x0d\x0a\x0d\x0a diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.bro new file mode 100644 index 0000000000..6634d059b9 --- /dev/null +++ b/testing/btest/core/event-arg-reuse.bro @@ -0,0 +1,20 @@ +# TEST-DOC: Check that assignment to event parameters isn't visible to other handlers. +# +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +event f(a: int) &priority=5 + { + a = 2; + print "f1", a; + } + +event f(a: int) &priority=-5 + { + print "f2", a; + } + +event bro_init() + { + event f(1); + } From aee307f02b26f0d1ea6ac4818f74eb2764247ac1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 2 Nov 2017 16:16:06 -0500 Subject: [PATCH 115/147] Add more test cases to ascii-double.bro --- .../json.log | 22 ++++++ .../test.log | 18 ++++- .../base/frameworks/logging/ascii-double.bro | 76 ++++++++++++++++--- 3 files changed, 104 insertions(+), 12 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log new file mode 100644 index 0000000000..49b3c5d172 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log @@ -0,0 +1,22 @@ +{"d":2.153226e+09} +{"d":2.153226e+09} +{"d":2.153226e+09} +{"d":1.0} +{"d":1.1} +{"d":1.123457} +{"d":-1.123457} +{"d":1.1234} +{"d":0.1234} +{"d":50000.0} +{"d":-50000.0} +{"d":3.140000e+15} +{"d":-3.140000e+15} +{"d":1.790000e+308} +{"d":-1.790000e+308} +{"d":0.000012} +{"d":0} +{"d":-0} +{"d":inf} +{"d":-inf} +{"d":0.0} +{"d":nan} diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log index 7fb6492f1b..45f8783c7b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path test -#open 2016-05-23-22-44-54 +#open 2017-11-02-21-00-25 #fields d #types double 2153226000.0 @@ -12,6 +12,20 @@ 1.0 1.1 1.123457 +-1.123457 1.1234 +0.1234 +50000.0 +-50000.0 3140000000000000.0 -#close 2016-05-23-22-44-54 +-3140000000000000.0 +NAN.0 +NAN.0 +0.000012 +0 +-0 +inf +-inf +0.0 +nan +#close 2017-11-02-21-00-25 diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro index e6d9a05e28..b824d93676 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro @@ -1,6 +1,10 @@ +# @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly. # +# @TEST-EXEC: bro -b %INPUT test-json.bro +# @TEST-EXEC: mv test.log json.log # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff test.log +# @TEST-EXEC: btest-diff json.log # # Make sure we do not write out scientific notation for doubles. @@ -14,16 +18,68 @@ export { }; } -event bro_init() +function logwrite(val: double) { - Log::create_stream(Test::LOG, [$columns=Info]); - Log::write(Test::LOG, [$d=2153226000.0]); - Log::write(Test::LOG, [$d=2153226000.1]); - Log::write(Test::LOG, [$d=2153226000.123456789]); - Log::write(Test::LOG, [$d=1.0]); - Log::write(Test::LOG, [$d=1.1]); - Log::write(Test::LOG, [$d=1.123456789]); - Log::write(Test::LOG, [$d=1.1234]); - Log::write(Test::LOG, [$d=3.14e15]); + Log::write(Test::LOG, [$d=val]); } +event bro_init() +{ + local d: double; + local dmax: double = 1.79e308; + local dmin: double = 2.23e-308; + + Log::create_stream(Test::LOG, [$columns=Info]); + + # relatively large values + logwrite(2153226000.0); + logwrite(2153226000.1); + logwrite(2153226000.123456789); + + # relatively small values + logwrite(1.0); + logwrite(1.1); + logwrite(1.123456789); + logwrite(-1.123456789); + logwrite(1.1234); + logwrite(.1234); + + # scientific notation (positive exponents) + logwrite(5e4); + logwrite(-5e4); + logwrite(3.14e15); + logwrite(-3.14e15); + logwrite(dmax); + logwrite(-dmax); + + # scientific notation (negative exponents) + logwrite(1.23456789e-5); + logwrite(dmin); + logwrite(-dmin); + + # inf + d = dmax; # ok + d = d * 2.0; # inf + logwrite(d); + + # -inf + d = -dmax; # ok + d = d * 2.0; # -inf + logwrite(d); + + # negative zero (compares equal to 0.0, but has different representation) + d = -0.0; + logwrite(d); + + # nan + d = dmax; # ok + d = d * 2.0; # inf + d = d * 0.0; # nan + logwrite(d); +} + +# @TEST-START-FILE test-json.bro + +redef LogAscii::use_json = T; + +# @TEST-END-FILE From 43b2b9806eb95aa3f256c1d4dda1bcf758e94908 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Fri, 3 Nov 2017 16:13:18 -0400 Subject: [PATCH 116/147] add a max_line_length flag to ContentLine_Analyzer In ContentLine_Analyzer, prevent excessively long lines being assembled. The line length will default to just under 16MB, but can be overriden on a per-analyzer basis. This is done for the finger,ident, and irc analyzers. --- scripts/base/frameworks/notice/weird.bro | 1 + src/analyzer/protocol/finger/Finger.cc | 4 ++-- src/analyzer/protocol/ident/Ident.cc | 4 ++-- src/analyzer/protocol/irc/IRC.cc | 4 ++-- src/analyzer/protocol/tcp/ContentLine.cc | 13 +++++++++---- src/analyzer/protocol/tcp/ContentLine.h | 8 ++++++-- .../weird.log | 12 ++++++++++++ .../btest/Traces/contentline-irc-5k-line.pcap | Bin 0 -> 38967 bytes .../scripts/base/protocols/irc/longline.test | 6 ++++++ 9 files changed, 40 insertions(+), 12 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log create mode 100644 testing/btest/Traces/contentline-irc-5k-line.pcap create mode 100644 testing/btest/scripts/base/protocols/irc/longline.test diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 6c8ba14974..42bed543ee 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -106,6 +106,7 @@ export { ["baroque_SYN"] = ACTION_LOG, ["base64_illegal_encoding"] = ACTION_LOG, ["connection_originator_SYN_ack"] = ACTION_LOG_PER_ORIG, + ["contentline_size_exceeded"] = ACTION_LOG, ["corrupt_tcp_options"] = ACTION_LOG_PER_ORIG, ["crud_trailing_HTTP_request"] = ACTION_LOG, ["data_after_reset"] = ACTION_LOG, diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index a9818ff7af..e1be27e795 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -17,9 +17,9 @@ Finger_Analyzer::Finger_Analyzer(Connection* conn) : tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new tcp::ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new tcp::ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index f668be921c..9601be7562 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -17,8 +17,8 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn) { did_bad_reply = did_deliver = 0; - orig_ident = new tcp::ContentLine_Analyzer(conn, true); - resp_ident = new tcp::ContentLine_Analyzer(conn, false); + orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000); + resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index a26045f250..a69674eb50 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -21,9 +21,9 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; starttls = false; - cl_orig = new tcp::ContentLine_Analyzer(conn, true); + cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000); AddSupportAnalyzer(cl_orig); - cl_resp = new tcp::ContentLine_Analyzer(conn, false); + cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000); AddSupportAnalyzer(cl_resp); } diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index a830cc8a7d..f15a8851d7 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -7,14 +7,14 @@ using namespace analyzer::tcp; -ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) -: TCP_SupportAnalyzer("CONTENTLINE", conn, orig) +ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length) +: TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length) { InitState(); } -ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig) -: TCP_SupportAnalyzer(name, conn, orig) +ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length) +: TCP_SupportAnalyzer(name, conn, orig), max_line_length(max_line_length) { InitState(); } @@ -229,6 +229,11 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) return seq_len; \ } + if ( offset > max_line_length ) + { + Weird("contentline_size_exceeded"); + EMIT_LINE + } switch ( c ) { case '\r': // Look ahead for '\n'. diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h index 7a5a6b996e..357b3d9527 100644 --- a/src/analyzer/protocol/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -10,9 +10,12 @@ namespace analyzer { namespace tcp { #define CR_as_EOL 1 #define LF_as_EOL 2 +// Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M. +#define DEFAULT_MAX_LINE_LENGTH 16*1024*1024 - 100 + class ContentLine_Analyzer : public TCP_SupportAnalyzer { public: - ContentLine_Analyzer(Connection* conn, bool orig); + ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); ~ContentLine_Analyzer(); void SupressWeirds(bool enable) @@ -60,7 +63,7 @@ public: { return seq + length <= seq_to_skip; } protected: - ContentLine_Analyzer(const char* name, Connection* conn, bool orig); + ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH); virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(uint64 seq, int len, bool orig); @@ -80,6 +83,7 @@ protected: int offset; // where we are in buf int buf_len; // how big buf is, total unsigned int last_char; // last (non-option) character scanned + int max_line_length; // how large of a line to accumulate before emitting and raising a weird uint64_t seq; // last seq number uint64_t seq_to_skip; diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log new file mode 100644 index 0000000000..b88f8724c5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2017-11-03-19-17-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1509735979.080381 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F bro +1509735979.080381 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F bro +1509735981.241042 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F bro +#close 2017-11-03-19-17-18 diff --git a/testing/btest/Traces/contentline-irc-5k-line.pcap b/testing/btest/Traces/contentline-irc-5k-line.pcap new file mode 100644 index 0000000000000000000000000000000000000000..94c8815af2e90197166ff9cf4fe096a1fd943b7c GIT binary patch literal 38967 zcmeI52|SeD`~Sz5HCam=D#{XL>`ThN?>l8T7=~etwM3hw1tHo~651r9MU+SzC8d-t zl}H;A5&v^$F*8h0&-ZzL&;Rv(^?mMMcQbRA&wZWub)9qH=iW5el;koaSP|5P^nLmD zao3lt<{(yr47f6b)ewP@+MI|$=*&VO5)cR`xPB%mXxvuGe8nU0bJm7$Dfh%81OnC_ z0Cm+t9k`O~DqE=N(A8DY_)LKHK>hASzLhx>Qb3T2gDcH#?twJddL1dCBQ?Q;IH`sp zt|T3`+*hIWIyHkC@hcu+J)RY2VG>19Csp=QbQT{C zzm=YXFBS#M&1PcVz2{{V_{IbEz;c}v{0F~-tcNx^v{?unauy4@EU_GM+bqV04j_~G zUBCxJh>(xQ1Y<(bei(0g96o@OwFnszj0ug9L&>WkLvW!u9~>?i8RCrzmG_N^pcI-9 zo2-dMMn^{zRl+DLNJe4+I673$(Oyd&AEk+s*N|6~N2y4Q8>4-LaY#i46iPu!K}p=vCo+@}i9{*LD=3Rg zVIzGpe$wJb7(Ch^7lTxiR|R#z7N;5xzBB&8q(Cu@#|lRfx5W8j{4r=hSRB^jfdBDP z@J*$VlHt#}fB4@#kP9ob_=Q4TFi0pt@%9t=LGlGDllYxMOf+>gP)hRYhZx$cL@Fsp zxQ02YnYmhljF}N}IvXUz&?aUv!*7&eK|m-lfs1HWq#q1b3ZzqC!4Gz@lFSl{48!8Q z{bmFPr8qU1xb!_utsD&PtcWo+l@B^DNr_b#Ea1mf&eS&8t*j00?5yoT0uwD{#y?;Q zx*R$|swe2m{DBKT?f`;+$^|{AC?y5-ZB)V{gOp9xZ3u>r%HeUYu(Ql`LI!1w`wyKE zunNdgov@UV6XZjEBfRA!F_FIVXun8Meu@JmL~PK1>=GF5qzJTfF|fAOHHEQ72a@rR z|7)KNEiTqy6=coy$r0G5ztAzzpFur# zrZpPH;FGuzH~Y6c$dtF3bb;!W6X6z!8~7W&14`2g&V?y(f$b-%FCd3jSO_7^dqyuO z7U5A;P?uL%0As15yb`EKC&JF8;|T?c3;1#D8RZ9Er2M@9Jzfz5Y7jT{3tvB8YD6i? zudiUCYZ4npFt@igi8YHc#e$rfu1-t>$$!Dsv0b1Zwfp^T7yq}9fsf^KDP(`;1F5OV z5zsfXurt+Hit~1GL}76j#xa2mozPqG*PL(=I*;mv|Ftpjv2xR&^@;phN=X5I4ZMrJ zvy!=en1gGS4IXRC_;9gT@2~mfB|Pp1W1xB__#`gGj{CPe2ppD(O8=W<;1laQ3V>hq zzb9tU14LB7*CA2PF-qvTI6^?2FFM9a4P?z61iL*z@?RJP?+Jl=)c*Ikef-}(2tIL= zq@ewk6Kvp+Ms|W#sHJI;qOHB3y0VqIznUZ5L(X(U_9RID3r=9w2KA^;_+J|YpSWM8 zkp7iVoSsrj^6RVln_?~93?l6?;Xz@pK0Y94rb~KZ@?UU?bT6m}#z3uq$3OrAE)e41 zJ`Q{m)dysVo$6Pv4m(OI$*&(4;%A5TcEp)kSSdxC+IfSVnXW!x50d|atJ|DGJ!4I7LfuV}b?V7v+Fu?1V}0kLIzMN80KtCMo6zhy~jdnw+*abT1`6`2~nH>W<@vr!#+7{GCV81T#B#3+(fM#o?Nu z9-QQD1)s#_|H9!@0rCHHiZ^vW^Dlav*l^nOUy6XoR0u$IaNP5g5P&Dcu8{amJBRuQ zSBYBBa)2tt%~Gx*5q~haBJlKi8l|X!esoZftC^y6cz}bCZaBsS%lOo1jU}i79RY#` zTqT0`PhAtRA!p6(!L(P2em24rjg&#c%SXfuKS*C(2)I-ffmB7RDj}UI$#Pg+08TzE zGyrUjSmjS$HBz9I{-3&P^hZ%rRzyMa%P4tiKq<ls^HL@PNFO#H2bK+eoz zqs9Ux|8qg&$RJ1vfsr9TNbt{x8Y-UPx~N}>H$GTCA}RohQd16#k(-Jmy3Bv$30#~6 zKKsR0$Ulmw*TSIspBr^1dniQ(^n+DU*Z`D|y|2H&QIL|d9R_4E2q@x3BvRHtFzU!N z2q+Lren>rVnK~j6jrEsPR)_(Yj6GHVjg-F|DQ%qG6!-sXQ*r z#w!@vp$MjWa0kF3QYbs2e`fz=#2`{gLytOA-J3Y{grcJ(rgli3uNcIb*sDOTKu&uYHl2RPOilE>dp{L;uvKT~=HAw#Fc3w&h zB1jpjOpF}@1{dm$k0nNr9JqG{2G73(&fgwzR{o&Gz%Rqa(VS9LK;Od33KgtqYZ)1W z@77WkDi5f+|F_EW8I;FU4*kn|5s#sBkIvifN(frDgUQY_&j@xF`>cp~UC{*9!+ z8%bTvQ}>qtDw5iyr)Ks4$W;A5k0g^niX?BOKI!c8wBzRKssF~%-;Nb29p*Z&xqIv0y@Mq)H?(XlBhY% z)2g#XV&H>o)B>CsKTjMU6W|#Ll4q0T!2eUpVc-W3T{0dW5yqf2F`2$JTNoZkz=6tK zQv&P}XnYjLcgjeJ1i|4KiT8$QNWph@m_SVBBAVqBOF%;c@NzUcowy|i>5wX*<4vGf z=fdKAy|KhbQY1+Fq;#l8m(CM{iHJb^dCuGddmtu)fWyav;zWQ%8BU^^VZlVuR4Zo_ zlQCfoWH?EvX4D`iGpxZ&hzt!yV?D#X@#s+EhWLm!z}Ev}S0ZO-)*aWT zaUR;Pps^zV+o_fTY)qnvk}EUl&7^T*+2S-eHidaCEUY&E4%#&pxv|v^CQIoLr;q z_Ya!iSr2{sQQ6H=8e!SRzuv+sq1#W^*-lb5i&k{~KY&b?ds*Hl!DNN2rGt zn&#p46DQ?1s10!GJiVY^4>g(lc{p`?KG*wdFE2F2L0D-wNe@{?pXe+*uu&0Omn!Z z_zlUBd92!&XU?}t$^1w(x_oq^Ru$iW0i)Q^uX8CcHDt$VVU089ZD0G*Qw>(@3Z4=C zqjt}6&Bo#-^lla&$g(|AEk1nb^X@#PjJfZ6`?k@iNtJ2OgX;*paYE_Y5HS}y}Vu@+bX^@;hw$u zn;j))wj7a4S4-b^M6rgU9gj(`-;nxvLki2h#9H$!r6D}=*yvb|tZ?C44B#5lR;*RT6MZ=ObZ#q%h= zTNpJrr-=~WVBhWMa+ot_C{PDEM|_#i-bsn7svYjCYVD~D#m+ooQ<^)^dEXX`ClU&Y z=Gm{gcn+Ucc(6<$*7eH%)}_np#2%dAH7r|FkA2(6At7Fk@|llIJO87&K>wOS*AmSf z^tRD;E7&7DdU$z)iZasz&s-SIxq4-OaNO=lv6t&!mOq+Ya|-ENu;juJ@5>vr+Xh|@ zOI%zMm%KqIg*Sb%Uqyr0oD+}ohqRiQHoZLFeyU=X=j<9A9S)axODjkIgKc$9B1;C^ zRx`P^NyvOTHIcdvv8k&2Y_$~2BIUd*dvfM$a4dPz00*ZHU~rng6EF~`ALJA?hPK0j zX+{3ncp{(ND0T3LgVVCbQ0K!0E24=LL0n0L9A|^eg+I^{ksD>NnHuC)Lme>4u_%m) z^gUx~I;(wo^TAyM&)4slj+z|O8+=-4)p_r0(Fe0#w@!-f@D5vevOikL9=p%vplI`# zye46zkcuM*M0T}(Gg}wGb@lmi=XP-3A+G~h4it(j z8CYe{V&0P)ZKE9|x23&4I{f8ve7-H=fPZ$?hkP}}LUpbx6B+AFkDHH1>~bDlUh>rY z&Mpo_+KThMEU!BpfGFDEYhjATm9*6# z-tXb4&ARFtE4II?VEgDMz!MQ?p;A14!8pjx$B1+Hc=Ll{6PYBz z5^EvJmSfz5;TwxT?eb}`ICd|k+^FPH!JVC{C1 z@mLP@ut8GP13vLd?sZFq>jP}}4k*dw=K5$zu(>FE99h`DLbl=k%A~gJ>)pF~A9M?f zj*BBbzuw!vB>mXJ^`=NUzc!^vrgXgl9!-JI6ot2|tq!Yn^pmx1Hb3!jPL&<4aL8;e-@(x{f;Mb%KAmc**tMC12;s zNW|?Ny=N6HjbhH+F^jWw=iBxTJ@-^+MRZJTu3dL|V|%hhblAdD?G`1bx~@(Zjz!WTkyN;YX-^KD|QpO`4={7yz=EJ6EO1LLo6dGqaii{ap=ugqW1+(~=<*tWO3Yiy6QUFq_tfiGVB^2@nh z${4*_#EVYXWhs!DIJUh1u64FS@&$f_$R9Q}$dZnuuU9Weopv!C{7`(@YgtIV*!;Em z>o=M`{=}p3!u9;Y7d8ry3r5F=c0Ipkk*|_EyU`<^zcZ?E|L&rxU{w@s3-w+nps|?bXaTMz~xeR+w_i|ju_@$#-HTPMa7n^ zU)1TERQ7(24w^Lh^PJDj7GiccH z-X@2=?r*nbB3eZ^GzJ|p{2=#gRP>Tnj`Xv1ao0n~6dbjJcnbU#L^q)LDn8l{ZsL52q|7%_sOjFLAHdYnR1U2VToazg)o` zh_!v%w^{K#VxN11M9|3h54+AWOG7O3etsW`76JXWRDKD7)=(Hm1(Dmp2 z*HC4Xllq*-uQa}APaKUfyP3S~=B#c0GJWm4&gstzUng(=%D<^Y`>mE)O4;a-lc86$ z59bD?E!mfDu;@+7U5}bmbFv>b(&Q;@5*ZSGOGGY^~&tm@Cw?Ugvb_Dbfvr0%aA zaZ5jB8Hio2YE+RvV&Sr!<#xb_wVh!+;h&qtyz+Gl$`75qq@ZphcRr8z^QX$>y^^(6 zimtp1?*|$EcrtFV#mcvV)heOIUG)0VS+f%PIgcx8=o)Oh>zn_fWsaGj$yKM|sG@tD z9$!**lYSm}%%ctEVe#NcuD{whr;O!aS-+bnSqZICO&&CP@*q37uaEhH%tp6YgJxV= zi_h-=el_`t1#(ZpXFgnyGlza+=O^Q(RN)I_4{M- z(M2oEr9zL|=Cu^JD$h@Im{@DqC?Z>q)N+0L`U-A%5z0nLc=Pe3w{OID z%Z_b`3NIgiZ!xr2S=c1uw8^cdYPIj<#L@^Sd}~j4Dm~tm>@iQfbX&W6%8#RQxy71o zs|Gt4gpSVd{a@TXZ^6&Ip~Px=7R<`Q4{Ce)7$0kyP_sccJa#SX-dn)X6<&` zx3$Z9Z$ewMTesERS913h()YagxT+LovG9gdXhP4i%{_6iKCF@4y;3CmD0cR>@`e>^ z+_T;br8u-bdS9C&J2on|Bji9uJlj}r)^nU?;vQFi{hny{o`$1V+vYf<2uqG%`cVFq zr*qgx)kj^e$l9MG?#6QeDkUAJy$lJ=x@y{UT{UZy52glG^Zoo-=dIh z^rYn3mpD1B?3o4Yv`}|0{II{HyX$_7*Q?SmAD@NQv7Eb5an<03*SMi=OSQrW2^&d= z!@Ie^j=lG~{)5vV427AOD2gb)+Gkdtl*px0i@851$Ub;b)gbj(zEsc02L*~N(6vyECMho4YIr{{Tzh$lIcl5QtRfIUX@zl0VR`&tztz+kB$NU&z z-*x!@1-XjCefOfV$dfgjmSdTOzRVTcyEVzVZ{@<+fGlN!-VL?KYa%1gw#`4nEtm=+bbaswV-W640JAH=yk}pg+kkY zrXvG%%s`vrO6F#CxrSbc&K?n954gL8!VB8tXm4mI?vKN9S()ma6Td(U)fiaVy^>y; z#==%$;ZsH}T?KTEfOT*sTc{_>MXy7)u$4#*S_mE~p|#M=+SE#XnX@5r;eyt!VPIYH zR(e$$>)!p$Is>3XJP!y?zLBjPZ#_n@L$>bSly#r!t@HNr^+Wpy1Y&}Mu_2+juyA|? zAu=jDCN@r2Pv5}M$k@cx%-q7#%G$=(&fdY%$=Su#?Z2@O=D{T2T~uET)G^l>A5)6ckS#{jN(Xt+Wi zTcFO3JK*a1G_I?s^-2;~?HC4J-$0$;iR*K~V>(y6;Gc0_tpm8$&~Sx3-axJiZs20Y zG_Jz&^g1N2t952_l{AMszZ2I(fX8&MNjvCyP{)Ba9Dr*jl`G^SX%4x@4)V_6+LuMI zL*lxIg8|ozQ0I5znhtnO=Q{k;@pa8Zz_px)E97xe7I6Kc0fKc}yrxb&?jm!2IFsx0 zxlreK;R<<(Xfn;esddwLxbSDhRNT-QUL z--)X>;4wX3ombHFpmNpq0$ht|xI!N5A=e2k>kO{z@$@<*uDV_fxOPIF--)YA$jo_@ z&`o+CRIYkbfNLHNSIDCia<%=+HiPTPC3+naS3RkjTvr%Co!^No2Jo03ul1kkdC+kE z47eVla)mrr7(lMKc7i(xri}w4cj1|NZn0N&1 zf%>}>`82oC*x;My#-s{$3`%Ft`JOA$>yUhFkjTKdSlE`|$+v3(kLg^)ed&2neQRg} ze7lo|E98NNT+>W}Bd7J5p$d8(5?4bL23(t<&hNyv5b&7JHTVNP4=Pt9KEQPw4Ohsc z33By+HFM54YZ<)`iK`LcOs>)zQ0I5zx)Jc0&b5D9|E1yj3~=2@ikYz)c}v_@oJb$&x6XyWsbDlp)B z6YBg0CEWJ10)Vbp&ul({P16ZbGg>YiG@f*KgBqWhHYRnaNdF66*X;T$2Eg z8C<34>la zExAz%d&4i5sb92ff<$Nk1$@Ugf~o%5^ED5&lu<1P|*s zFFH~AvZPycC;$0`Q{u>ZnHjNrS~Y|27q+ztS-8$`b*x!%sFTz{qDba~p@2ltKFoXbXC zPgGV8Zdxbl)HPzwRq*X(f$-vY6=y6;46gdso%<4pZJIME8fA>CuPQp!`;dKTh5lqz zPVJoS>PhdP^n9~$Ijyek-H&Z^R*rnnD)vH@M@@R^oh(tSX10V&UxwWmwz28%Jm~U> zl`HN*^~#=WWma!8!y}wu2l&|sG!vYQotZYUwOuPe72V&D+?pMA{ljh{SBd?H50=e( zucQ3<-T8&qL4)OWc;Uwy!|XjfYF?aha6xl7s;8%!TOU8(7mzdMWNk;=0Omq6o#ufz4YO7djl0b9_t95L&8pdX~E-h<_4! z?~Ux#`)(Dj#%bKNmP@#N%&u9}ZJwp!4Giz6Z2^W6Y$h>r@rPABg0*MMA;jlQ)UK_2 zv+s@GTy;Eh(~p(AZpbOhiC)tEc%-rSsYP|w`mEcApM$Kvy#CUZU?TA}$qQ4{$)$$A z?UL@f)oaOh1z-GHLXo}Wvh(znNHuw(U!oaGV2X0q|F zfhLh!Lf0nSRN7ujzVJTS86CAHBHXiHu0itPtNOyo0A}GeXxleg3s}7xV)Z7iZmO+zEVF z&+B*3LrAo5Vs+Fe>E&gsm<{JIy?rBJJLvF64-@iD7)frkC6t!b$$!HN3E$o8v)KSmZsGsuC#Np=I&ksq9SVoPN+y$)&TVOGsx z=aCEt%in3|VF-9k=X!S@JrC;6!#o-6JX~qGLLSMGYk>&|f*D+!C9dE=-;kMW;)gK3 z4xN8QRz`6Qg8ex0IWJjokT1J|c&l^Kq8M%^U~oOAK6^u!;H%D&r_Ma=n*u@Jr?w;N;B2yU|RAbPM1rE zq}DB37IZk5hkfEZk1J~F*zoZ7Uz|nw>4YuxPH>^@91rtu;fK z=q)M_w^w4g_~tLLs@u}n(Gab5tV#7#nB-gm0~ra)laudGzc|93Qs6z5y+AoBBH|!3 zkKj%zTv^vmRPJ-(va5btm*>y3t`kq%zng2r_c)c2Lyx6Zj&DD2)>kc+h@6kFD-+M( ztmAXvWsZ1j%_&e!x*NPrxuati>(jgqT}d{D`+To`Cv_Z+gCT z*om3fRUoc0XKApAe!+{leWPrfHomz~f*;+}RCnZHb=P-6)+Ke=s8bS?<8Ei4-5(SA zlJ2yI)A@mJTE?jQ?W}8(lBa{-h76i5w%DpsoA+{iSV@`Mkhl`_oH@CKB<*X7V}|Up z4V^0`uRRjz+Go8~ytA{n+91v}>PM@wD&F8-x64Y&#LTD8n>BU#%N_}qqQ;g)3ii$o zJaTSHl;Q1jCoVS}zyD*sS39TSHe5XuGf3+j4H zm$K`WjO=YKtb8A!u~;kQyt4IsnVUr)*XCe3r2?->tWO^KzTcE(P?;B;$?-L9k*E_LRBO_G0{8LCrxN>#CJFh3> zmbQE4ZY)2eIWBo2^J|U1^U|LATn67Rwy|d1SBBnH^l z{qS!$l>St=dgB(q4A(RM8PSG3n8esKFO+!f!(;rl1R8=uu9fQ_5%R#kQ53y%&iVc- z(Jfh5A3MfYOVMF*f6Ko zPk;Bp>xjm8&(rgo*FNVxtMjyiQ((jau|p)GORV?f{Jd`U^9p-=*GV6^y(Pvqv3|gS z@9Xw87>Q>a7hg=h8da2kCi?M}gFTm1)7ZZ@-Fn7iyyl|3LCKiB%i+EDcOMzlN@W%f zeT#qS&$Q<9^;=l(xhZ^#c2b(1`IYYuV#X#-_Ga|-xF2@jgJ|1dIot8Dk5r><+L6FD zk(XQKbditk=l48|ac|gLV%yLweRQ@iFKW3f|IKT>^G1X!q}NOK9*xo(ZBbpvA{%k& zd{JTV<JEGjpT>jZriUt<4#qOw0csi$0ibGgR-Z5(dNk{wJbZ6|LTGnEIH?C24; zhD>!$emSr6_6HWK+1G`@ z+bhJrCzHVD-w^luQsDRC1?W<|y;jnjr8_!f$`LJh-mj>Rm&H(z zulz{JO-);Nv{t7dEg)cAdGJPXV`P72;FrV@u7JMVdvBm#hU%Wxm^TkOtI_GS;+=bL zjhZrk*Sc%l-di}=<(!c;(m(#*p?I#lQ|j|f^mY|Zi(#24k5!uj^S>JDb}VvN|_KZ+B0q!eBLah3ej*2X(j6)fwy;qzBY}-5z z+&hNf-p%x3K+^dAO`{)dALPW=_}-EoeUstO*X36t`CRI1S-9Z$R4>1!T!&UmhYa?) zvugg>x)PB(8G8A^#wX>XuNPg4KV{}2!hgGNz26>1Gw<$8T{l}~;$x1be>YSSf3cps z-y{2!{Dkqv{CO#!fsv_Mna@1bcIp-oo+TaistV$$^5RI0z18io)1|C2IVnJurw=Bf%$=UeeOVq*Z*tWFI!y;;@pYPqdw>qUM_ICe8|2btXV@tCd z5pQ+WRTc~1Yc6#Ty5(y+qOV!A6SI7BIIuuFf^*T{+k5PC4ezDDD(5=lzc`ZI_z3UFPNim7YT=pJlh? zO}g2Wk9IzA*y5wKV~+7Yxsui|3oNB=a>jOlx?d3_xD8n|?^IkG%l9~C3|d?%Hlrc0 zjQhimft!~Lp39~MmC3Yq+bZ6C;Jw1>tL;)3rK3u_ma8I`iVdzXY<}(jwMt~K{+g}L z)%U+hpX0GMzE$=4)1+!KVx9)dS5Y@l;zk_Xew#WMqq(p4Uw1)0$f}Weq?fdQ@%yUW z!&rQT;psUqv(7cyiS^W;;nlEgu6sA;y2g8+M%KRYFx#cMi+HcDSRUqOmB}@%u;i=W z{^Khi$mKp=ylt23Vh>gBL&mGF$E=Rb?*1h0Rkdqp(v9bd3aCvZs=1Uxb(}l)cP&<^@&y-gtJmG>t7a*(^Q3efFJf-wx3dJ#7RtA=nBb zT`hih{y<{$TI+e@+zVwy&UBvcJkTgnxo7EN+oQPS$G;7p9Z;|CU)A&cLCKKHfJ^Dk zr7~NxnvP(L#Pegj=RWEGUa{|Tpm9WT8^OI2VR}60bm_wF;`YnDS8o<}@XR?UnlR+) z^T@$kB`CA{LC{92o`M$xkrgp3lPV9g548HsQr6;OI<$a)b6NCp9VG?XlLF?hH9N+Q zhx58CN>-%kI*<5li9)h{36+uB-e`zjvhR>;YH6p>^UycX^0iM?TeDrQ;J2Us_DR^0 z4B_xANj%pIG7tu*t=C>=?OB)qIAKNjN~tZnHl-XR_T#5L+2=}s$u;d#*0p=itAyZL zHC`jwo*3F2tRH(g!2WuU;M?RaE6t47JYB2pHr)ML$9muG^7+?tH;c?3Fiy$lN*v3I z=hxYWwZ6BltNx~Y*8+G%d<`5CPd~EmjG#XvCY?^%ug)VM5}nAmq?G2!8Xgf7PkY;L zpLxkx><7ILX~trn%wWdS2anKyrx{BW;4yt5x#*fmWLcyp&e3TAqN`l+X4Zv@>l5b(qX_C@|wZL5a1 z{Y+=GHWR`dv=6StHZmjJS?uU_YDnBj_P__#Y$<1OQ8?H(P?h-7Iq(UW`CtX7+qo;i z=K`1j{?1G=8ZU<;0>}m%oDSfG2>k|W3{L`v(>!5E+#n7D$OSrAfH+*qhF@BuPOn2Y zJc$Sr8eT+aIDD%X2dqn8@EGF2l?MMu@P(n#cuzlcgfAWw2H&eiEJ)0vl!s#AJ97#X zf`gSf=#dgwb}^BD!75A$W@0JUCpU03uD)A%aRo&4dZz z3bqJWG7-l^+vthV>4*Rw(yQoZ8o3V|4h=p{XK*;EO6$Ui|8Fkj4Dk*HFO3Ib z4V&W00ExgC`le8keD|B?!zm=IotO{~piOWkBeCh#`~w|`1dLCl3o0lAL<^BX$B`Fs zTuyx_9kkUJY-76nj(E{;gM|INAHXgFY<)x%Z*Us~s1pEmzJOqXE6G--55ni@b;xa& zkZJ>M2DVOi(b-A>wsC-GQOOHap%t2-j|(N>aac`Fd?Xg_3H~k&Vn!l52E0Qq0%0E+ zVh`R_7on-?i;V=Y?!$Wqpb4Jf4RDcI0)tFKAjk^DVf{RP@i_Q)I)rH`0Sz`37Ksl) zdxG}_hRocQx1S#4OfyfY$;>hJ^uy5%490FaW|C1QPQJ`T(E?l5!geB$~$%iNQ(?q|HEwZa>S6 z&@ok_*C7RxavLR(;A8MKK~D@MFjFEf(6${6Y+L`+AXo1FnQae%4(yC@rF6)4hJz~X zEI>yDw2{6;5^ejV4%x=QR;(Pu_Vt%xNv zIns27vJfAGuG z7jzI1k2J#rea~UgXBgN(D)lQf(4oG#NH8?u8TWj2C};?2kRcBs)Gd*_K6Si^fTc-Y zlw3H3*yKmvFyuoP4@D1op@6WGG7{%du3?&X3^=ENn zZzdf#PcX3UcoDrOjcr?hW*e9DOxs4Q=ygbaWPIx%*+x6o@B_{1JJjxn^qMrbr2*Tj z8F3r%U_$7Cohe*N{g-J~`{qB;5kXZ?Dopj?D7a$=$Y|c0ix>gF!LxG2BTp{)JsOR{ z`++ZX3w&+vPV-PCCGn45cnfT!d9!UG_yL|LATR$XFT7=)@%~*_FfL%hCWzw_ar?8# zF-~e2>9`uaG7*iRDh1OsT znyW^yL-Mc67tk-#z&@aQqJhpYQP40E@E>{E2R^|Gexl{jKeNNUeS^Wy+#iDlU7TF# zrytY(!y1b7Lxa*ZfTo0qX+$Mf40vlc_(mj1{Es~%($^R4(5Dh%YZoz~rq@m1S}HZw zY(TAy5j8oWV*oY-S8_D#1gxajAyHG!rcj$y{zGcxz)%>)(0JIc*}kNAfrDKE>BYw& z?dQu3YIFeu>v2Tjed%8R3^#-jgzrQ~`x3zGjHl*=urSPHSOA18bRn@{Ff0&;!$U{F zBXg1h8x|dfrVnxU5a1Xv!2m@_E`+{OX5bqYhEv6H5YcKUfN#z+@=YU_36T%(|A#Bd zH!R0Lzoz#M)yF_b1a+1vd&)PluxCKSU|rI};z68w!5?g-3A8X}e+P~n{k#d@;H}a) zJetUZT!->OoFBs}FG z=s;G4EV#&Z9PKFf!T6-u0AKjzNn-gxdu{Ch15vO2Pyhe` literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/irc/longline.test b/testing/btest/scripts/base/protocols/irc/longline.test new file mode 100644 index 0000000000..0573494844 --- /dev/null +++ b/testing/btest/scripts/base/protocols/irc/longline.test @@ -0,0 +1,6 @@ +# This tests that an excessively long line is truncated by the contentline +# analyzer + +# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT +# @TEST-EXEC: btest-diff weird.log + From 6e89505d06f4acb83abcebf167795a6e6bf01d0b Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 6 Nov 2017 14:01:07 -0600 Subject: [PATCH 117/147] Fix ASCII logging of very large values of type "double" Increased the size of a buffer to be large enough to contain all the characters of the largest possible "double" value when scientific notation is not being used (previously, the nonsensical "NAN.0" would be written to ASCII logs for any value >= 1e248). --- src/Desc.cc | 4 +++- .../scripts.base.frameworks.logging.ascii-double/test.log | 8 ++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/Desc.cc b/src/Desc.cc index 1d76c32e55..b64bcec8d8 100644 --- a/src/Desc.cc +++ b/src/Desc.cc @@ -145,7 +145,9 @@ void ODesc::Add(double d, bool no_exp) AddBytes(&d, sizeof(d)); else { - char tmp[256]; + // Buffer needs enough chars to store max. possible "double" value + // of 1.79e308 without using scientific notation. + char tmp[350]; if ( no_exp ) modp_dtoa3(d, tmp, sizeof(tmp), IsReadable() ? 6 : 8); diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log index 45f8783c7b..9d5dd6ecf0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path test -#open 2017-11-02-21-00-25 +#open 2017-11-06-19-58-08 #fields d #types double 2153226000.0 @@ -19,8 +19,8 @@ -50000.0 3140000000000000.0 -3140000000000000.0 -NAN.0 -NAN.0 +178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0 +-178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0 0.000012 0 -0 @@ -28,4 +28,4 @@ inf -inf 0.0 nan -#close 2017-11-02-21-00-25 +#close 2017-11-06-19-58-08 From de6883fa1c07b3fc8c621729b70741e70438da25 Mon Sep 17 00:00:00 2001 From: Luke Valenta Date: Tue, 7 Nov 2017 23:19:30 -0500 Subject: [PATCH 118/147] add verbose SSL logging output that includes cryptographic values --- scripts/policy/protocols/ssl/ssl-verbose.bro | 103 +++++ src/analyzer/protocol/ssl/events.bif | 66 ++- .../protocol/ssl/tls-handshake-analyzer.pac | 81 +++- .../protocol/ssl/tls-handshake-protocol.pac | 391 +++++++++++++++--- 4 files changed, 571 insertions(+), 70 deletions(-) create mode 100644 scripts/policy/protocols/ssl/ssl-verbose.bro diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro new file mode 100644 index 0000000000..4de466327c --- /dev/null +++ b/scripts/policy/protocols/ssl/ssl-verbose.bro @@ -0,0 +1,103 @@ +##! More verbose version of the base SSL analysis script. This script +##! additionally logs client and server randoms, key exchange values, signatures, +##! and certificates hashes. + +@load base/protocols/ssl + +module SSL; + +export { + redef record Info += { + # ClientHello + client_random: string &log &optional; + client_cipher_suites: string &optional; + + # ServerHello + server_random: string &log &optional; + + # ServerKeyExchange + server_dh_p: string &log &optional; + server_dh_q: string &log &optional; + server_dh_Ys: string &log &optional; + server_ecdh_point: string &log &optional; + server_signature: string &log &optional; + + # ServerCertificate + server_cert_sha1: string &log &optional; + + # ClientKeyExchange + client_rsa_pms: string &log &optional; + client_dh_Yc: string &log &optional; + client_ecdh_point: string &log &optional; + }; +} + + +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 + { + set_session(c); + c$ssl$client_random = bytestring_to_hexstr(client_random); + + local ciphers_str = ""; + for (i in ciphers) + { + ciphers_str += cipher_desc[ciphers[i]]; + if ( i != |ciphers|-1) + { + ciphers_str += ","; + } + } + c$ssl$client_cipher_suites = ciphers_str; + } + +event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 + { + set_session(c); + c$ssl$server_random = bytestring_to_hexstr(server_random); + } + +event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5 + { + set_session(c); + c$ssl$server_dh_p = bytestring_to_hexstr(p); + c$ssl$server_dh_q = bytestring_to_hexstr(q); + c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys); + } + +event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5 + { + set_session(c); + c$ssl$server_ecdh_point = bytestring_to_hexstr(point); + } + +event ssl_server_signature(c: connection, signed_params: string) &priority=5 + { + set_session(c); + c$ssl$server_signature = bytestring_to_hexstr(signed_params); + } + +event ssl_rsa_client_pms(c: connection, pms: string) &priority=5 + { + set_session(c); + c$ssl$client_rsa_pms = bytestring_to_hexstr(pms); + } + +event ssl_dh_client_params(c: connection, Yc: string) &priority=5 + { + set_session(c); + c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc); + } + +event ssl_ecdh_client_params(c: connection, point: string) &priority=5 + { + set_session(c); + c$ssl$client_ecdh_point = bytestring_to_hexstr(point); + } + +event ssl_established(c: connection) &priority=5 + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || + ! c$ssl$cert_chain[0]?$x509 ) + return; + c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1; + } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 7f0814ee27..feba12abb4 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -177,6 +177,20 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_server_curve%(c: connection, curve: count%); +## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event +## contains the server ECDH parameters, which are sent in the ServerKeyExchange +## message as defined in :rfc:`4492`. +## +## c: The connection. +## +## curve: The curve parameters. +## +## point: The server's ECDH public key. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); + ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains ## the server DH parameters, which are sent in the ServerKeyExchange message as ## defined in :rfc:`5246`. @@ -190,9 +204,59 @@ event ssl_server_curve%(c: connection, curve: count%); ## Ys: The server's DH public key. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); +## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event +## contains the server signature over the key exchange parameters, which is sent in +## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`. +## +## c: The connection. +## +## signed_params: A hash of the server params, with the signature appropriate to +## that hash applied. The private key corresponding to the certified +## public key in the server's Certificate message is used for signing. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +event ssl_server_signature%(c: connection, signed_params: string%); + +## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event +## contains the client ECDH public value, which is sent in the ClientKeyExchange +## message as defined in :rfc:`4492`. +## +## c: The connection. +## +## point: The client's ECDH public key. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +event ssl_ecdh_client_params%(c: connection, point: string%); + +## Generated if a client uses a DH-anon or DHE cipher suite. This event contains +## the client DH parameters, which are sent in the ClientKeyExchange message as +## defined in :rfc:`5246`. +## +## c: The connection. +## +## Yc: The client's DH public key. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params +event ssl_dh_client_params%(c: connection, Yc: string%); + +## Generate if a client uses an RSA key exchange. This event contains the client +## encrypted pre-master secret which is encrypted using the public key of the +## server's certificate as defined in :rfc:`5246`. +## +## c: The connection. +## +## pms: The encrypted pre-master secret. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params +event ssl_rsa_client_pms%(c: connection, pms: string%); + ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in ## the initial handshake. It contains the list of client supported application diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index e3226551b4..40f546a9f6 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -272,15 +272,48 @@ refine connection Handshake_Conn += { return true; %} - function proc_ec_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16) : bool + function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool %{ if ( curve_type == NAMED_CURVE ) BifEvent::generate_ssl_server_curve(bro_analyzer(), bro_analyzer()->Conn(), curve); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data())); return true; %} + function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool + %{ + if ( curve_type == NAMED_CURVE ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), curve); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); + + return true; + %} + + function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool + %{ + BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + return true; + %} + + function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool + %{ + BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + return true; + %} + + function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool + %{ + BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + return true; + %} + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); @@ -299,7 +332,23 @@ refine connection Handshake_Conn += { return true; %} - function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool + function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: bytestring) : bool + %{ + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(signed_params.length(), (const char*) signed_params.data()) + ); + + return true; + %} + + function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ BifEvent::generate_ssl_dh_server_params(bro_analyzer(), bro_analyzer()->Conn(), @@ -388,12 +437,32 @@ refine typeattr CertificateStatus += &let { proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); }; -refine typeattr EcServerKeyExchange += &let { - proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve); +refine typeattr EcdheServerKeyExchange += &let { + proc : bool = $context.connection.proc_ecdhe_server_key_exchange(rec, curve_type, curve, point, signed_params); }; -refine typeattr DhServerKeyExchange += &let { - proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys); +refine typeattr EcdhAnonServerKeyExchange += &let { + proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(rec, curve_type, curve, point); +}; + +refine typeattr DheServerKeyExchange += &let { + proc : bool = $context.connection.proc_dhe_server_key_exchange(rec, dh_p, dh_g, dh_Ys, signed_params); +}; + +refine typeattr DhAnonServerKeyExchange += &let { + proc : bool = $context.connection.proc_dh_anon_server_key_exchange(rec, dh_p, dh_g, dh_Ys); +}; + +refine typeattr RsaClientKeyExchange += &let { + proc : bool = $context.connection.proc_rsa_client_key_exchange(rec, rsa_pms); +}; + +refine typeattr DhClientKeyExchange += &let { + proc : bool = $context.connection.proc_dh_client_key_exchange(rec, dh_Yc); +}; + +refine typeattr EcdhClientKeyExchange += &let { + proc : bool = $context.connection.proc_ecdh_client_key_exchange(rec, point); }; refine typeattr SupportedVersions += &let { diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index bd155d644d..6a4584bb03 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -176,13 +176,326 @@ type CertificateStatus(rec: HandshakeRecord) = record { # V3 Server Key Exchange Message (7.4.3.) ###################################################################### -# Usually, the server key exchange does not contain any information -# that we are interested in. -# -# The exception is when we are using an ECDHE, DHE or DH-Anon suite. -# In this case, we can extract information about the chosen cipher from -# here. +# The server key exchange contains the server public key exchange values, and a +# signature over those values for non-anonymous exchanges. The server key +# exchange messages is only sent for ECDHE, ECDH-anon, DHE, and DH-anon cipher +# suites. type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of { + # ECDHE suites + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_RC4_128_SHA, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_PSK_WITH_NULL_SHA, + TLS_ECDHE_PSK_WITH_NULL_SHA256, + TLS_ECDHE_PSK_WITH_NULL_SHA384, + TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + -> ecdhe_server_key_exchange : EcdheServerKeyExchange(rec); + + # ECDH-anon suites + TLS_ECDH_ANON_WITH_NULL_SHA, + TLS_ECDH_ANON_WITH_RC4_128_SHA, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA + # ECDH non-anon suites do not send a ServerKeyExchange + -> ecdh_anon_server_key_exchange : EcdhAnonServerKeyExchange(rec); + + # DHE suites + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD, + TLS_DHE_DSS_WITH_AES_128_CBC_RMD, + TLS_DHE_DSS_WITH_AES_256_CBC_RMD, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD, + TLS_DHE_RSA_WITH_AES_128_CBC_RMD, + TLS_DHE_RSA_WITH_AES_256_CBC_RMD, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_PSK_WITH_RC4_128_SHA, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_SEED_CBC_SHA, + TLS_DHE_RSA_WITH_SEED_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_DHE_PSK_WITH_NULL_SHA256, + TLS_DHE_PSK_WITH_NULL_SHA384, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_AES_128_CCM, + TLS_DHE_RSA_WITH_AES_256_CCM, + TLS_DHE_RSA_WITH_AES_128_CCM_8, + TLS_DHE_RSA_WITH_AES_256_CCM_8, + TLS_DHE_PSK_WITH_AES_128_CCM, + TLS_DHE_PSK_WITH_AES_256_CCM, + TLS_PSK_DHE_WITH_AES_128_CCM_8, + TLS_PSK_DHE_WITH_AES_256_CCM_8, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + -> dhe_server_key_exchange : DheServerKeyExchange(rec); + + # DH-anon suites + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_256_CBC_SHA, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA, + TLS_DH_ANON_WITH_SEED_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256, + TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384, + TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256, + TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384, + TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 + # DH non-anon suites do not send a ServerKeyExchange + -> dh_anon_server_key_exchange : DhAnonServerKeyExchange(rec); + + default + -> key : bytestring &restofdata &transient; +}; + +# Parse an ECDHE ServerKeyExchange message, which contains a signature over the +# parameters. Parsing explicit curve parameters from the server is not +# currently supported. +type EcdheServerKeyExchange(rec: HandshakeRecord) = record { + curve_type: uint8; + curve: uint16; # only if curve_type = 3 (NAMED_CURVE) + point_length: uint8; + point: bytestring &length=point_length; + signed_params: bytestring &restofdata; +}; + +# Parse an ECDH-anon ServerKeyExchange message, which does not contain a +# signature over the parameters. Parsing explicit curve parameters from the +# server is not currently supported. +type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record { + curve_type: uint8; + curve: uint16; # only if curve_type = 3 (NAMED_CURVE) + point_length: uint8; + point: bytestring &length=point_length; + data: bytestring &restofdata &transient; +}; + +# Parse a DHE ServerKeyExchange message, which contains a signature over the +# parameters. +type DheServerKeyExchange(rec: HandshakeRecord) = record { + dh_p_length: uint16; + dh_p: bytestring &length=dh_p_length; + dh_g_length: uint16; + dh_g: bytestring &length=dh_g_length; + dh_Ys_length: uint16; + dh_Ys: bytestring &length=dh_Ys_length; + signed_params: bytestring &restofdata; +}; + +# Parse a DH-anon ServerKeyExchange message, which does not contain a +# signature over the parameters. +type DhAnonServerKeyExchange(rec: HandshakeRecord) = record { + dh_p_length: uint16; + dh_p: bytestring &length=dh_p_length; + dh_g_length: uint16; + dh_g: bytestring &length=dh_g_length; + dh_Ys_length: uint16; + dh_Ys: bytestring &length=dh_Ys_length; + data: bytestring &restofdata &transient; +}; + +###################################################################### +# V3 Certificate Request (7.4.4.) +###################################################################### + +# For now, ignore Certificate Request Details; just eat up message. +type CertificateRequest(rec: HandshakeRecord) = record { + cont : bytestring &restofdata &transient; +}; + + +###################################################################### +# V3 Server Hello Done (7.4.5.) +###################################################################### + +# Server Hello Done is empty +type ServerHelloDone(rec: HandshakeRecord) = empty; + + +###################################################################### +# V3 Client Certificate (7.4.6.) +###################################################################### + +# Client Certificate is identical to Server Certificate; +# no further definition here + + +###################################################################### +# V3 Client Key Exchange Message (7.4.7.) +###################################################################### + +# Parse a ClientKeyExchange message. For RSA cipher suites, this consists of an +# encrypted pre-master secret. For DH, DH-anon, and DHE cipher suites, this +# consists of the client public finite-field Diffie-Hellman value. For ECDH, +# ECDH-anon, and ECDHE cipher suites, this consists of the client public +# elliptic curve point. +type ClientKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of { + # RSA suites + TLS_RSA_WITH_NULL_MD5, + TLS_RSA_WITH_NULL_SHA, + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_WITH_IDEA_CBC_SHA, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_NULL_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_RMD, + TLS_RSA_WITH_AES_128_CBC_RMD, + TLS_RSA_WITH_AES_256_CBC_RMD, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_RSA_PSK_WITH_RC4_128_SHA, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_SEED_CBC_SHA, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, + TLS_RSA_PSK_WITH_NULL_SHA256, + TLS_RSA_PSK_WITH_NULL_SHA384, + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256, + TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384, + TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, + TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, + TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, + TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, + TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS_RSA_WITH_AES_128_CCM, + TLS_RSA_WITH_AES_256_CCM, + TLS_RSA_WITH_AES_128_CCM_8, + TLS_RSA_WITH_AES_256_CCM_8 + -> rsa_client_key_exchange: RsaClientKeyExchange(rec); + + #ECHDE TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, @@ -275,7 +588,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - -> ec_server_key_exchange : EcServerKeyExchange(rec); + -> ecdh_client_key_exchange : EcdhClientKeyExchange(rec); # DHE suites TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, @@ -377,72 +690,24 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384, TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256, TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 - # DH non-anon suites do not send a ServerKeyExchange - -> dh_server_key_exchange : DhServerKeyExchange(rec); + -> dh_server_key_exchange : DhClientKeyExchange(rec); default -> key : bytestring &restofdata &transient; }; -# For the moment, we really only are interested in the curve name. If it -# is not set (if the server sends explicit parameters), we do not bother. -# We also do not parse the actual signature data following the named curve. -type EcServerKeyExchange(rec: HandshakeRecord) = record { - curve_type: uint8; - curve: uint16; # only if curve_type = 3 (NAMED_CURVE) - data: bytestring &restofdata &transient; +type RsaClientKeyExchange(rec: HandshakeRecord) = record { + rsa_pms : bytestring &restofdata; }; -# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams -# structure. After that, they start to differ, but we do not care about that. -type DhServerKeyExchange(rec: HandshakeRecord) = record { - dh_p_length: uint16; - dh_p: bytestring &length=dh_p_length; - dh_g_length: uint16; - dh_g: bytestring &length=dh_g_length; - dh_Ys_length: uint16; - dh_Ys: bytestring &length=dh_Ys_length; - data: bytestring &restofdata &transient; +type DhClientKeyExchange(rec: HandshakeRecord) = record { + dh_Yc : bytestring &restofdata; }; - -###################################################################### -# V3 Certificate Request (7.4.4.) -###################################################################### - -# For now, ignore Certificate Request Details; just eat up message. -type CertificateRequest(rec: HandshakeRecord) = record { - cont : bytestring &restofdata &transient; +type EcdhClientKeyExchange(rec: HandshakeRecord) = record { + point : bytestring &restofdata; }; - -###################################################################### -# V3 Server Hello Done (7.4.5.) -###################################################################### - -# Server Hello Done is empty -type ServerHelloDone(rec: HandshakeRecord) = empty; - - -###################################################################### -# V3 Client Certificate (7.4.6.) -###################################################################### - -# Client Certificate is identical to Server Certificate; -# no further definition here - - -###################################################################### -# V3 Client Key Exchange Message (7.4.7.) -###################################################################### - -# For now ignore details of ClientKeyExchange (most of it is -# encrypted anyway); just eat up message. -type ClientKeyExchange(rec: HandshakeRecord) = record { - key : bytestring &restofdata &transient; -}; - - ###################################################################### # V3 Certificate Verify (7.4.8.) ###################################################################### @@ -487,7 +752,7 @@ type SSLExtension(rec: HandshakeRecord) = record { EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); - EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0); + EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0); EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; From 6b21167d9647f31bcc5fb67a8e6ecec197d4c86d Mon Sep 17 00:00:00 2001 From: Luke Valenta Date: Wed, 8 Nov 2017 10:07:54 -0500 Subject: [PATCH 119/147] update documentation, fix whitespace errors, add certificate extraction to ssl-verbose script --- scripts/policy/protocols/ssl/ssl-verbose.bro | 204 ++++++++++-------- src/analyzer/protocol/ssl/events.bif | 33 ++- .../protocol/ssl/tls-handshake-analyzer.pac | 26 +-- 3 files changed, 158 insertions(+), 105 deletions(-) diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro index 4de466327c..42370339d0 100644 --- a/scripts/policy/protocols/ssl/ssl-verbose.bro +++ b/scripts/policy/protocols/ssl/ssl-verbose.bro @@ -3,101 +3,133 @@ ##! and certificates hashes. @load base/protocols/ssl +@load base/files/x509 +@load base/utils/directions-and-hosts module SSL; export { - redef record Info += { - # ClientHello - client_random: string &log &optional; - client_cipher_suites: string &optional; + redef record Info += { + # ClientHello + client_random: string &log &optional; + client_cipher_suites: string &log &optional; - # ServerHello - server_random: string &log &optional; + # ServerHello + server_random: string &log &optional; - # ServerKeyExchange - server_dh_p: string &log &optional; - server_dh_q: string &log &optional; - server_dh_Ys: string &log &optional; - server_ecdh_point: string &log &optional; - server_signature: string &log &optional; + # ServerKeyExchange + server_dh_p: string &log &optional; + server_dh_q: string &log &optional; + server_dh_Ys: string &log &optional; + server_ecdh_point: string &log &optional; + server_signature: string &log &optional; - # ServerCertificate - server_cert_sha1: string &log &optional; + # ServerCertificate + server_cert_sha1: string &log &optional; - # ClientKeyExchange - client_rsa_pms: string &log &optional; - client_dh_Yc: string &log &optional; - client_ecdh_point: string &log &optional; - }; + # ClientKeyExchange + client_rsa_pms: string &log &optional; + client_dh_Yc: string &log &optional; + client_ecdh_point: string &log &optional; + }; + + ## Control if host certificates offered by the defined hosts + ## will be written to the PEM certificates file. + ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS. + const extract_certs_pem = ALL_HOSTS &redef; } - -event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 - { - set_session(c); - c$ssl$client_random = bytestring_to_hexstr(client_random); - - local ciphers_str = ""; - for (i in ciphers) - { - ciphers_str += cipher_desc[ciphers[i]]; - if ( i != |ciphers|-1) - { - ciphers_str += ","; - } - } - c$ssl$client_cipher_suites = ciphers_str; - } - -event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 - { - set_session(c); - c$ssl$server_random = bytestring_to_hexstr(server_random); - } - -event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5 - { - set_session(c); - c$ssl$server_dh_p = bytestring_to_hexstr(p); - c$ssl$server_dh_q = bytestring_to_hexstr(q); - c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys); - } - -event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5 - { - set_session(c); - c$ssl$server_ecdh_point = bytestring_to_hexstr(point); - } - -event ssl_server_signature(c: connection, signed_params: string) &priority=5 - { - set_session(c); - c$ssl$server_signature = bytestring_to_hexstr(signed_params); - } - -event ssl_rsa_client_pms(c: connection, pms: string) &priority=5 - { - set_session(c); - c$ssl$client_rsa_pms = bytestring_to_hexstr(pms); - } - -event ssl_dh_client_params(c: connection, Yc: string) &priority=5 - { - set_session(c); - c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc); - } - -event ssl_ecdh_client_params(c: connection, point: string) &priority=5 - { - set_session(c); - c$ssl$client_ecdh_point = bytestring_to_hexstr(point); - } +# This is an internally maintained variable to prevent relogging of +# certificates that have already been seen. It is indexed on an sha1 sum of +# the certificate. +global extracted_certs: set[string] = set() &read_expire=1hr &redef; event ssl_established(c: connection) &priority=5 - { - if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || - ! c$ssl$cert_chain[0]?$x509 ) - return; - c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1; - } + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || + ! c$ssl$cert_chain[0]?$x509 ) + return; + + if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) ) + return; + + local hash = c$ssl$cert_chain[0]$sha1; + local cert = c$ssl$cert_chain[0]$x509$handle; + + c$ssl$server_cert_sha1 = hash; + + if ( hash in extracted_certs ) + # If we already extracted this cert, don't do it again. + return; + + add extracted_certs[hash]; + local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem"; + local outfile = open_for_append(filename); + enable_raw_output(outfile); + + print outfile, x509_get_certificate_string(cert, T); + + close(outfile); + } + +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 + { + set_session(c); + c$ssl$client_random = bytestring_to_hexstr(client_random); + + local ciphers_str = ""; + for (i in ciphers) + { + ciphers_str += cipher_desc[ciphers[i]]; + if ( i != |ciphers|-1) + { + ciphers_str += ","; + } + } + c$ssl$client_cipher_suites = ciphers_str; + } + +event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 + { + set_session(c); + c$ssl$server_random = bytestring_to_hexstr(server_random); + } + +event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5 + { + set_session(c); + c$ssl$server_dh_p = bytestring_to_hexstr(p); + c$ssl$server_dh_q = bytestring_to_hexstr(q); + c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys); + } + +event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5 + { + set_session(c); + c$ssl$server_ecdh_point = bytestring_to_hexstr(point); + } + +event ssl_server_signature(c: connection, signed_params: string) &priority=5 + { + set_session(c); + c$ssl$server_signature = bytestring_to_hexstr(signed_params); + } + +event ssl_rsa_client_pms(c: connection, pms: string) &priority=5 + { + set_session(c); + c$ssl$client_rsa_pms = bytestring_to_hexstr(pms); + } + +event ssl_dh_client_params(c: connection, Yc: string) &priority=5 + { + set_session(c); + c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc); + } + +event ssl_ecdh_client_params(c: connection, point: string) &priority=5 + { + set_session(c); + c$ssl$client_ecdh_point = bytestring_to_hexstr(point); + } + diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index feba12abb4..cad453844a 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -27,6 +27,8 @@ ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_handshake_message ## ssl_change_cipher_spec +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%); ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions @@ -64,6 +66,8 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_session_ticket_handshake x509_certificate ssl_server_curve ## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%); ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS @@ -106,6 +110,8 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms ssl_server_signature event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension @@ -125,6 +131,8 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms ssl_server_signature event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%); ## Generated for an Signature Algorithms extension. This TLS extension @@ -143,6 +151,8 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms ssl_server_signature event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%); ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 @@ -160,6 +170,8 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms ssl_server_signature event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%); ## Generated if a named curve is chosen by the server for an SSL/TLS connection. @@ -175,6 +187,8 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms ssl_server_signature event ssl_server_curve%(c: connection, curve: count%); ## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event @@ -188,7 +202,8 @@ event ssl_server_curve%(c: connection, curve: count%); ## point: The server's ECDH public key. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature +## ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains @@ -204,7 +219,9 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); ## Ys: The server's DH public key. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params +## ssl_rsa_client_pms event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event @@ -218,7 +235,8 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## public key in the server's Certificate message is used for signing. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_server_signature%(c: connection, signed_params: string%); ## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event @@ -230,7 +248,8 @@ event ssl_server_signature%(c: connection, signed_params: string%); ## point: The client's ECDH public key. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params +## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature +## ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms event ssl_ecdh_client_params%(c: connection, point: string%); ## Generated if a client uses a DH-anon or DHE cipher suite. This event contains @@ -242,7 +261,8 @@ event ssl_ecdh_client_params%(c: connection, point: string%); ## Yc: The client's DH public key. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params +## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature +## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_dh_client_params%(c: connection, Yc: string%); ## Generate if a client uses an RSA key exchange. This event contains the client @@ -254,7 +274,8 @@ event ssl_dh_client_params%(c: connection, Yc: string%); ## pms: The encrypted pre-master secret. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params +## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature +## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_rsa_client_pms%(c: connection, pms: string%); ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 40f546a9f6..6555ccedc2 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -272,26 +272,26 @@ refine connection Handshake_Conn += { return true; %} - function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool + function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool %{ if ( curve_type == NAMED_CURVE ) BifEvent::generate_ssl_server_curve(bro_analyzer(), bro_analyzer()->Conn(), curve); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data())); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data())); return true; %} - function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool + function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool %{ if ( curve_type == NAMED_CURVE ) BifEvent::generate_ssl_server_curve(bro_analyzer(), bro_analyzer()->Conn(), curve); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); return true; %} @@ -313,7 +313,7 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); return true; %} - + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); @@ -340,10 +340,10 @@ refine connection Handshake_Conn += { new StringVal(g.length(), (const char*) g.data()), new StringVal(Ys.length(), (const char*) Ys.data()) ); - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(signed_params.length(), (const char*) signed_params.data()) - ); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(signed_params.length(), (const char*) signed_params.data()) + ); return true; %} From 65e65080a01d04f484592d232beb007c13c3802e Mon Sep 17 00:00:00 2001 From: Luke Valenta Date: Wed, 8 Nov 2017 11:33:39 -0500 Subject: [PATCH 120/147] now passing btest --- scripts/policy/protocols/ssl/ssl-verbose.bro | 30 ++------------------ scripts/test-all-policy.bro | 1 + 2 files changed, 4 insertions(+), 27 deletions(-) diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro index 42370339d0..4e7b4a3c01 100644 --- a/scripts/policy/protocols/ssl/ssl-verbose.bro +++ b/scripts/policy/protocols/ssl/ssl-verbose.bro @@ -4,7 +4,7 @@ @load base/protocols/ssl @load base/files/x509 -@load base/utils/directions-and-hosts +@load ./extract-certs-pem.bro module SSL; @@ -36,40 +36,16 @@ export { ## Control if host certificates offered by the defined hosts ## will be written to the PEM certificates file. ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS. - const extract_certs_pem = ALL_HOSTS &redef; + redef extract_certs_pem = ALL_HOSTS; } -# This is an internally maintained variable to prevent relogging of -# certificates that have already been seen. It is indexed on an sha1 sum of -# the certificate. -global extracted_certs: set[string] = set() &read_expire=1hr &redef; - event ssl_established(c: connection) &priority=5 { if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) return; - if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) ) - return; - - local hash = c$ssl$cert_chain[0]$sha1; - local cert = c$ssl$cert_chain[0]$x509$handle; - - c$ssl$server_cert_sha1 = hash; - - if ( hash in extracted_certs ) - # If we already extracted this cert, don't do it again. - return; - - add extracted_certs[hash]; - local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem"; - local outfile = open_for_append(filename); - enable_raw_output(outfile); - - print outfile, x509_get_certificate_string(cert, T); - - close(outfile); + c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1; } event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 7c828241d0..804ae14d22 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -101,6 +101,7 @@ @load protocols/ssl/validate-ocsp.bro @load protocols/ssl/validate-sct.bro @load protocols/ssl/weak-keys.bro +@load protocols/ssl/ssl-verbose.bro @load tuning/__load__.bro @load tuning/defaults/__load__.bro @load tuning/defaults/extracted_file_limits.bro From 3af440ffcf971b6b0c0ed1bc8d84dcea3a602060 Mon Sep 17 00:00:00 2001 From: Luke Valenta Date: Thu, 9 Nov 2017 11:48:24 -0500 Subject: [PATCH 121/147] add btest w/ baseline for ssl-verbose testing dhe, ecdhe, and rsa key exchange logging --- .../ssl-all.log | 32 +++++++++++++++++++ .../policy/protocols/ssl/ssl-verbose.test | 9 ++++++ 2 files changed, 41 insertions(+) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log create mode 100644 testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log new file mode 100644 index 0000000000..b73201a6b5 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log @@ -0,0 +1,32 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-09-16-32-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string string string string +1398558136.319509 CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - 1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322 bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b 02 af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac - 0601010018fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a c3d48226a8f94d3bbb49918ac02187493258e74e - 0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483 - +#close 2017-11-09-16-32-54 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-09-16-32-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string string string string +1398529018.678827 CHhAvVGS1DHFjwGM9 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - d170a048a025925479f1a573610851d30a1f3e7267836932797def95 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV 5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c - - - 04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807 06010100bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e e2fb0771ee6fc0d0e324bc863c02b57921257c86 - - 4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472 +#close 2017-11-09-16-32-54 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2017-11-09-16-32-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer client_random client_cipher_suites server_random server_dh_p server_dh_q server_dh_Ys server_ecdh_point server_signature server_cert_sha1 client_rsa_pms client_dh_Yc client_ecdh_point +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string string string string string string string string string string string string +1170717505.549109 CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2 (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - e6b8efdf91cf44f7eae43c83398fdcb2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785 - - +1170717508.697180 ClEkJM2Vm5giqnMf4h 192.150.187.164 58869 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9 - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52 - - +1170717511.722913 C4J4Th3PJpwUYZZ6gc 192.150.187.164 58870 194.127.84.106 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd (empty) CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network - - 240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904 - - - - - 2c322ae2b7fe91391345e070b63668978bb1c9da 008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8 - - +#close 2017-11-09-16-32-55 diff --git a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test new file mode 100644 index 0000000000..253f76c158 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT +# @TEST-EXEC: cat ssl.log > ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff ssl-all.log + +@load protocols/ssl/ssl-verbose From bde4404b5ecefc8bfcd188216e2a6f409830cc7b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 10 Nov 2017 21:33:17 +0100 Subject: [PATCH 122/147] Update submodules [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- aux/btest | 2 +- cmake | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/aux/binpac b/aux/binpac index 27356ae52f..e6d13e5dfc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704 +Subproject commit e6d13e5dfc9f727f7c59c0496b529bdb2a1d9b62 diff --git a/aux/bro-aux b/aux/bro-aux index 02f710a436..53bf0578a4 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8 +Subproject commit 53bf0578a4ead2dcf6c488b610644451584d46e5 diff --git a/aux/broccoli b/aux/broccoli index 25907f6b0a..498e699b32 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0 +Subproject commit 498e699b3273b5c05a4275247e679a31567e71c8 diff --git a/aux/broctl b/aux/broctl index 5c1cb0d54d..a075a80639 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 5c1cb0d54d7814a58f1c0cc03c5be99aac0daf23 +Subproject commit a075a80639b7d543b55cc31191965eb1364e3623 diff --git a/aux/broker b/aux/broker index 862c982f35..761ef15d9b 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb +Subproject commit 761ef15d9b72d189d29af7dd09c9e576d61fd78f diff --git a/aux/btest b/aux/btest index 154dd9f9b2..56a368491d 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393 +Subproject commit 56a368491d8ef3ef527061b353875099070148ad diff --git a/cmake b/cmake index 79f2b2e944..9bac595066 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 79f2b2e944da77774675be4d5254156451967371 +Subproject commit 9bac5950664ac7b50fb576a2f9422b819b505e21 From 91dcefe104d4dd5ffb59226d55fdbe4d6a9ad330 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Nov 2017 12:04:11 -0800 Subject: [PATCH 123/147] Fix and extend behavior of HookLoadFile This commit fixes and extends the behavior of HookLoadFile. Before this change, HookLoadFile appended ".bro" to each path that was @loaded, even if the path specified directory names. Furthermore it only gave the path of the file as it was specified in the Bro script without revealing the final path of the file that it was going to load. This patch changes this behavior - in addition to giving the unmodified path given in the @load command, the hook now returns the resolved path of the file or directory it is going to load (if found). The hook is furthermore raises for @load-sigs and @load-plugin; a enum specifies the kind of load that is happening. --- src/plugin/Manager.cc | 20 +- src/plugin/Manager.h | 2 +- src/plugin/Plugin.cc | 2 +- src/plugin/Plugin.h | 20 +- src/scan.l | 32 +- testing/btest/Baseline/plugins.hooks/output | 1537 ++++++++++------- .../btest/plugins/hooks-plugin/src/Plugin.cc | 6 +- .../btest/plugins/hooks-plugin/src/Plugin.h | 2 +- 8 files changed, 978 insertions(+), 643 deletions(-) diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index a6c564d4f2..2f04354b76 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -569,32 +569,20 @@ void Manager::RequestBroObjDtor(BroObj* obj, Plugin* plugin) obj->NotifyPluginsOnDtor(); } -int Manager::HookLoadFile(const string& file) +int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved) { HookArgumentList args; if ( HavePluginForHook(META_HOOK_PRE) ) { + args.push_back(HookArgument(type)); args.push_back(HookArgument(file)); + args.push_back(HookArgument(resolved)); MetaHookPre(HOOK_LOAD_FILE, args); } hook_list* l = hooks[HOOK_LOAD_FILE]; - size_t i = file.find_last_of("./"); - - string ext; - string normalized_file = file; - - if ( i != string::npos && file[i] == '.' ) - ext = file.substr(i + 1); - else - { - // Add .bro as default extension. - normalized_file = file + ".bro"; - ext = "bro"; - } - int rc = -1; if ( l ) @@ -602,7 +590,7 @@ int Manager::HookLoadFile(const string& file) { Plugin* p = (*i).second; - rc = p->HookLoadFile(normalized_file, ext); + rc = p->HookLoadFile(type, file, resolved); if ( rc >= 0 ) break; diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 9ece86bfed..7139121b97 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -237,7 +237,7 @@ public: * if a plugin took over the file but had trouble loading it; and -1 if * no plugin was interested in the file at all. */ - virtual int HookLoadFile(const string& file); + virtual int HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved); /** * Hook that filters calls to a script function/event/hook. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index f54749f837..502dc0b9e7 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -345,7 +345,7 @@ void Plugin::RequestBroObjDtor(BroObj* obj) plugin_mgr->RequestBroObjDtor(obj, this); } -int Plugin::HookLoadFile(const std::string& file, const std::string& ext) +int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) { return -1; } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index c3f231bb93..9f5ccb592c 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -403,6 +403,13 @@ public: typedef std::list bif_item_list; typedef std::list > hook_list; + /** + * The different types of @loads supported by HookLoadFile. + */ + enum LoadType { + SCRIPT, SIGNATURES, PLUGIN + }; + /** * Constructor. */ @@ -611,10 +618,15 @@ protected: * script directives. The hook can take over the file, in which case * Bro will not further process it otherwise. * - * @param file The filename to be loaded, including extension. + * @param type The type of load encountered: script load, signatures load, + * or plugin load. * - * @param ext The extension of the filename. This is provided - * separately just for convenience. The dot is excluded. + * @param file The filename that was passed to @load. Only includes + * an extension if it was given in @load. + * + * @param resolved The file or directory name Bro resolved from + * the given path and is going to load. Empty string + * if Bro was not able to resolve a path. * * @return 1 if the plugin took over the file and loaded it * successfully; 0 if the plugin took over the file but had trouble @@ -622,7 +634,7 @@ protected: * have printed an error message); and -1 if the plugin wasn't * interested in the file at all. */ - virtual int HookLoadFile(const std::string& file, const std::string& ext); + virtual int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved); /** * Hook into executing a script-level function/event/hook. Whenever diff --git a/src/scan.l b/src/scan.l index 215b5d7c30..29ff5fa923 100644 --- a/src/scan.l +++ b/src/scan.l @@ -348,6 +348,19 @@ when return TOK_WHEN; @load-sigs{WS}{FILE} { const char* file = skip_whitespace(yytext + 10); string path = find_relative_file(file, "sig"); + int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1); + if ( rc == 1 ) + return 0; // A plugin took care of it, just skip. + + if ( rc == 0 ) + { + if ( ! reporter->Errors() ) + reporter->Error("Plugin reported error loading signatures %s", file); + + exit(1); + } + + assert(rc == -1); // No plugin in charge of this file. if ( path.empty() ) reporter->Error("failed to find file associated with @load-sigs %s", @@ -358,6 +371,19 @@ when return TOK_WHEN; @load-plugin{WS}{ID} { const char* plugin = skip_whitespace(yytext + 12); + int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::PLUGIN, plugin, ""), -1); + if ( rc == 1 ) + return 0; // A plugin took care of it, just skip. + + if ( rc == 0 ) + { + if ( ! reporter->Errors() ) + reporter->Error("Plugin reported error loading plugin %s", plugin); + + exit(1); + } + + assert(rc == -1); // No plugin in charge of this file. plugin_mgr->ActivateDynamicPlugin(plugin); } @@ -547,7 +573,8 @@ static bool already_scanned(const string& path) static int load_files(const char* orig_file) { - int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(orig_file), -1); + string file_path = find_relative_file(orig_file, "bro"); + int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1); if ( rc == 1 ) return 0; // A plugin took care of it, just skip. @@ -568,7 +595,6 @@ static int load_files(const char* orig_file) // Whether we pushed on a FileInfo that will restore the // current module after the final file has been scanned. bool did_module_restore = false; - string file_path; FILE* f = 0; if ( streq(orig_file, "-") ) @@ -585,8 +611,6 @@ static int load_files(const char* orig_file) else { - file_path = find_relative_file(orig_file, "bro"); - if ( file_path.empty() ) reporter->FatalError("can't find %s", orig_file); diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9f231d821f..42b0b6ef26 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -256,7 +256,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -386,7 +386,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -422,307 +422,312 @@ 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost DrainEvents() -> -0.000000 MetaHookPost LoadFile(../main) -> -1 -0.000000 MetaHookPost LoadFile(../plugin) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_ARP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_BackDoor.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_ConnSize.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DHCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DNP3.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_DNS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_File.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FileEntropy.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FileExtract.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_FileHash.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Finger.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_GTPv1.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Gnutella.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_HTTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_HTTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_ICMP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_IMAP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_IRC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Ident.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_InterConn.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_KRB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_KRB.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Login.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Login.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_MIME.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Modbus.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_MySQL.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NTLM.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NTLM.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_PE.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_POP3.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RADIUS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RDP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RDP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RFB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RPC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_RawReader.raw.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SIP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.consts.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_echo.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMB.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SMTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SNMP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SNMP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SOCKS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SSH.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SSH.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SSL.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SSL.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SSL.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Syslog.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_TCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_TCP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Teredo.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_UDP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Unified2.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_Unified2.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_X509.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_X509.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_X509.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./Bro_XMPP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./acld) -> -1 -0.000000 MetaHookPost LoadFile(./addrs) -> -1 -0.000000 MetaHookPost LoadFile(./analyzer.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./average) -> -1 -0.000000 MetaHookPost LoadFile(./bloom-filter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./bro.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./broker) -> -1 -0.000000 MetaHookPost LoadFile(./broxygen.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./cardinality-counter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./catch-and-release) -> -1 -0.000000 MetaHookPost LoadFile(./comm.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./const-dos-error) -> -1 -0.000000 MetaHookPost LoadFile(./const-nt-status) -> -1 -0.000000 MetaHookPost LoadFile(./const.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./consts) -> -1 -0.000000 MetaHookPost LoadFile(./consts.bro) -> -1 -0.000000 MetaHookPost LoadFile(./contents) -> -1 -0.000000 MetaHookPost LoadFile(./ct-list) -> -1 -0.000000 MetaHookPost LoadFile(./data.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./dcc-send) -> -1 -0.000000 MetaHookPost LoadFile(./debug) -> -1 -0.000000 MetaHookPost LoadFile(./drop) -> -1 -0.000000 MetaHookPost LoadFile(./entities) -> -1 -0.000000 MetaHookPost LoadFile(./event.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./exec) -> -1 -0.000000 MetaHookPost LoadFile(./file_analysis.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./files) -> -1 -0.000000 MetaHookPost LoadFile(./gridftp) -> -1 -0.000000 MetaHookPost LoadFile(./hll_unique) -> -1 -0.000000 MetaHookPost LoadFile(./hooks.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./inactivity) -> -1 -0.000000 MetaHookPost LoadFile(./info) -> -1 -0.000000 MetaHookPost LoadFile(./init.bro) -> -1 -0.000000 MetaHookPost LoadFile(./input) -> -1 -0.000000 MetaHookPost LoadFile(./input.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./last) -> -1 -0.000000 MetaHookPost LoadFile(./log) -> -1 -0.000000 MetaHookPost LoadFile(./logging.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./magic) -> -1 -0.000000 MetaHookPost LoadFile(./main) -> -1 -0.000000 MetaHookPost LoadFile(./main.bro) -> -1 -0.000000 MetaHookPost LoadFile(./max) -> -1 -0.000000 MetaHookPost LoadFile(./messaging.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./min) -> -1 -0.000000 MetaHookPost LoadFile(./mozilla-ca-list) -> -1 -0.000000 MetaHookPost LoadFile(./netstats) -> -1 -0.000000 MetaHookPost LoadFile(./non-cluster) -> -1 -0.000000 MetaHookPost LoadFile(./openflow) -> -1 -0.000000 MetaHookPost LoadFile(./packetfilter) -> -1 -0.000000 MetaHookPost LoadFile(./patterns) -> -1 -0.000000 MetaHookPost LoadFile(./pcap.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./plugin) -> -1 -0.000000 MetaHookPost LoadFile(./plugins) -> -1 -0.000000 MetaHookPost LoadFile(./polling) -> -1 -0.000000 MetaHookPost LoadFile(./postprocessors) -> -1 -0.000000 MetaHookPost LoadFile(./reporter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./ryu) -> -1 -0.000000 MetaHookPost LoadFile(./sample) -> -1 -0.000000 MetaHookPost LoadFile(./scp) -> -1 -0.000000 MetaHookPost LoadFile(./sftp) -> -1 -0.000000 MetaHookPost LoadFile(./shunt) -> -1 -0.000000 MetaHookPost LoadFile(./site) -> -1 -0.000000 MetaHookPost LoadFile(./stats.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./std-dev) -> -1 -0.000000 MetaHookPost LoadFile(./store) -> -1 -0.000000 MetaHookPost LoadFile(./store.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./strings.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./sum) -> -1 -0.000000 MetaHookPost LoadFile(./thresholds) -> -1 -0.000000 MetaHookPost LoadFile(./top-k.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./topk) -> -1 -0.000000 MetaHookPost LoadFile(./types) -> -1 -0.000000 MetaHookPost LoadFile(./types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./types.bro) -> -1 -0.000000 MetaHookPost LoadFile(./unique) -> -1 -0.000000 MetaHookPost LoadFile(./utils) -> -1 -0.000000 MetaHookPost LoadFile(./utils-commands) -> -1 -0.000000 MetaHookPost LoadFile(./utils.bro) -> -1 -0.000000 MetaHookPost LoadFile(./variance) -> -1 -0.000000 MetaHookPost LoadFile(./weird) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/add-geodata) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/ascii) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/benchmark) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/binary) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/drop) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/email_admin) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/hostnames) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/none) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/page) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/pp-alarms) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/raw) -> -1 -0.000000 MetaHookPost LoadFile(.<...>/sqlite) -> -1 -0.000000 MetaHookPost LoadFile(<...>/__load__.bro) -> -1 -0.000000 MetaHookPost LoadFile(<...>/__preload__.bro) -> -1 -0.000000 MetaHookPost LoadFile(<...>/hooks.bro) -> -1 -0.000000 MetaHookPost LoadFile(base/bif) -> -1 -0.000000 MetaHookPost LoadFile(base/init-default.bro) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/Bro_KRB.types.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/Bro_SNMP.types.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/active-http) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/addrs) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/analyzer) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/analyzer.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/bro.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/broker) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/cluster) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/comm.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/communication) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/conn) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/conn-ids) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/const.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/control) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/data.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dce-rpc) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dhcp) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dir) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/directions-and-hosts) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dnp3) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dns) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/dpd) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/email) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/event.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/exec) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/extract) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/file_analysis.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/files) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/find-checksum-offloading) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/find-filtered-trace) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/ftp) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/geoip-distance) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/hash) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/http) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/imap) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/input) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/input.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/intel) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/irc) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/json) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/krb) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/logging) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/logging.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/main) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/messaging.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/modbus) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/mysql) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/netcontrol) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/notice) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/ntlm) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/numbers) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/openflow) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/packet-filter) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/paths) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/patterns) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/pe) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/plugins) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/pop3) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/queue) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/radius) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/rdp) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/reporter) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/reporter.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/rfb) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/signatures) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/sip) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/site) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/smb) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/smtp) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/snmp) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/socks) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/software) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/ssh) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/ssl) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/store.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/strings) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/strings.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/sumstats) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/syslog) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/thresholds) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/time) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/tunnels) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/types.bif) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/unified2) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/urls) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/utils) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/version) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/weird) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/x509) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/xmpp) -> -1 +0.000000 MetaHookPost LoadFile(0, ..<...>/main.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, ..<...>/plugin.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_File.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_PE.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/acld.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/add-geodata.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/addrs.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/analyzer.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ascii.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/average.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/benchmark.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/binary.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/bloom-filter.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/bro.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/broker.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/broxygen.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/catch-and-release.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/comm.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const-dos-error.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const-nt-status.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/consts.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/contents.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ct-list.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/data.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/dcc-send.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/debug.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/drop.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/email_admin.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/entities.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/event.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/exec.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/file_analysis.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/files.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/gridftp.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/hll_unique.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/hooks.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/hostnames.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/inactivity.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/info.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/init.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/input.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/input.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/last.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/log.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/logging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/magic) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/main.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/max.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/messaging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/min.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/mozilla-ca-list.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/netstats.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/non-cluster.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/none.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/openflow.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/packetfilter.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/page.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/patterns.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/pcap.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/plugin.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/plugins) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/polling.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/postprocessors) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/pp-alarms.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/raw.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/reporter.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ryu.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sample.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/scp.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sftp.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/shunt.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/site.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sqlite.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/stats.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/std-dev.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/store.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/store.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/strings.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sum.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/thresholds.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/top-k.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/topk.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/types.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/unique.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/utils-commands.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/utils.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/variance.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/weird.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/__load__.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/__preload__.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/hooks.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/active-http.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/addrs.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/analyzer) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/analyzer.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/bif) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/bro.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/broker) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/cluster) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/comm.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/communication) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/conn) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/conn-ids.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/const.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dir.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dnp3) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dns) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dpd) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/email.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/event.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/exec.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/extract) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/file_analysis.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/files) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/files.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/find-checksum-offloading.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/find-filtered-trace.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ftp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/hash) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/init-default.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/json.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/logging) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/main.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/modbus) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/mysql) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/netcontrol) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/notice) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/numbers.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/paths.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/patterns.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/pe) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/plugins) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/pop3) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/queue.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/radius) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/rdp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/reporter) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/rfb) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/signatures) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/sip) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/site.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/smb) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/smtp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/snmp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/socks) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/software) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ssh) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ssl) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/strings.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/sumstats) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/syslog) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/thresholds.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/time.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/tunnels) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/unified2) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/urls.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/utils.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/version.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/weird.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/x509) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/xmpp) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/archive.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/audio.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/dpd.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/font.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/general.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/image.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/libmagic.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/msoffice.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, .<...>/video.sig) -> -1 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false @@ -986,7 +991,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -1116,7 +1121,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1152,307 +1157,312 @@ 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre DrainEvents() -0.000000 MetaHookPre LoadFile(../main) -0.000000 MetaHookPre LoadFile(../plugin) -0.000000 MetaHookPre LoadFile(./Bro_ARP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_AsciiReader.ascii.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_BackDoor.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_BinaryReader.binary.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_BitTorrent.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_ConnSize.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_ConnSize.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.consts.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DHCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DNP3.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_DNS.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_File.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FileEntropy.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FileExtract.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FileExtract.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_FileHash.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Finger.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_GSSAPI.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_GTPv1.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Gnutella.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_HTTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_HTTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_ICMP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_IMAP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_IRC.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Ident.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_InterConn.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_KRB.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_KRB.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Login.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Login.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_MIME.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Modbus.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_MySQL.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NTLM.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NTLM.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_NoneWriter.none.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_PE.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_POP3.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RADIUS.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RDP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RDP.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RFB.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RPC.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_RawReader.raw.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SIP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.consts.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_echo.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMB.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SMTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SNMP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SNMP.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SOCKS.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SSH.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SSH.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SSL.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SSL.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SSL.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_SteppingStone.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Syslog.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_TCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_TCP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Teredo.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_UDP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Unified2.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_Unified2.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_X509.events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_X509.functions.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_X509.ocsp_events.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_X509.types.bif.bro) -0.000000 MetaHookPre LoadFile(./Bro_XMPP.events.bif.bro) -0.000000 MetaHookPre LoadFile(./acld) -0.000000 MetaHookPre LoadFile(./addrs) -0.000000 MetaHookPre LoadFile(./analyzer.bif.bro) -0.000000 MetaHookPre LoadFile(./average) -0.000000 MetaHookPre LoadFile(./bloom-filter.bif.bro) -0.000000 MetaHookPre LoadFile(./bro.bif.bro) -0.000000 MetaHookPre LoadFile(./broker) -0.000000 MetaHookPre LoadFile(./broxygen.bif.bro) -0.000000 MetaHookPre LoadFile(./cardinality-counter.bif.bro) -0.000000 MetaHookPre LoadFile(./catch-and-release) -0.000000 MetaHookPre LoadFile(./comm.bif.bro) -0.000000 MetaHookPre LoadFile(./const-dos-error) -0.000000 MetaHookPre LoadFile(./const-nt-status) -0.000000 MetaHookPre LoadFile(./const.bif.bro) -0.000000 MetaHookPre LoadFile(./consts) -0.000000 MetaHookPre LoadFile(./consts.bro) -0.000000 MetaHookPre LoadFile(./contents) -0.000000 MetaHookPre LoadFile(./ct-list) -0.000000 MetaHookPre LoadFile(./data.bif.bro) -0.000000 MetaHookPre LoadFile(./dcc-send) -0.000000 MetaHookPre LoadFile(./debug) -0.000000 MetaHookPre LoadFile(./drop) -0.000000 MetaHookPre LoadFile(./entities) -0.000000 MetaHookPre LoadFile(./event.bif.bro) -0.000000 MetaHookPre LoadFile(./exec) -0.000000 MetaHookPre LoadFile(./file_analysis.bif.bro) -0.000000 MetaHookPre LoadFile(./files) -0.000000 MetaHookPre LoadFile(./gridftp) -0.000000 MetaHookPre LoadFile(./hll_unique) -0.000000 MetaHookPre LoadFile(./hooks.bif.bro) -0.000000 MetaHookPre LoadFile(./inactivity) -0.000000 MetaHookPre LoadFile(./info) -0.000000 MetaHookPre LoadFile(./init.bro) -0.000000 MetaHookPre LoadFile(./input) -0.000000 MetaHookPre LoadFile(./input.bif.bro) -0.000000 MetaHookPre LoadFile(./last) -0.000000 MetaHookPre LoadFile(./log) -0.000000 MetaHookPre LoadFile(./logging.bif.bro) -0.000000 MetaHookPre LoadFile(./magic) -0.000000 MetaHookPre LoadFile(./main) -0.000000 MetaHookPre LoadFile(./main.bro) -0.000000 MetaHookPre LoadFile(./max) -0.000000 MetaHookPre LoadFile(./messaging.bif.bro) -0.000000 MetaHookPre LoadFile(./min) -0.000000 MetaHookPre LoadFile(./mozilla-ca-list) -0.000000 MetaHookPre LoadFile(./netstats) -0.000000 MetaHookPre LoadFile(./non-cluster) -0.000000 MetaHookPre LoadFile(./openflow) -0.000000 MetaHookPre LoadFile(./packetfilter) -0.000000 MetaHookPre LoadFile(./patterns) -0.000000 MetaHookPre LoadFile(./pcap.bif.bro) -0.000000 MetaHookPre LoadFile(./plugin) -0.000000 MetaHookPre LoadFile(./plugins) -0.000000 MetaHookPre LoadFile(./polling) -0.000000 MetaHookPre LoadFile(./postprocessors) -0.000000 MetaHookPre LoadFile(./reporter.bif.bro) -0.000000 MetaHookPre LoadFile(./ryu) -0.000000 MetaHookPre LoadFile(./sample) -0.000000 MetaHookPre LoadFile(./scp) -0.000000 MetaHookPre LoadFile(./sftp) -0.000000 MetaHookPre LoadFile(./shunt) -0.000000 MetaHookPre LoadFile(./site) -0.000000 MetaHookPre LoadFile(./stats.bif.bro) -0.000000 MetaHookPre LoadFile(./std-dev) -0.000000 MetaHookPre LoadFile(./store) -0.000000 MetaHookPre LoadFile(./store.bif.bro) -0.000000 MetaHookPre LoadFile(./strings.bif.bro) -0.000000 MetaHookPre LoadFile(./sum) -0.000000 MetaHookPre LoadFile(./thresholds) -0.000000 MetaHookPre LoadFile(./top-k.bif.bro) -0.000000 MetaHookPre LoadFile(./topk) -0.000000 MetaHookPre LoadFile(./types) -0.000000 MetaHookPre LoadFile(./types.bif.bro) -0.000000 MetaHookPre LoadFile(./types.bro) -0.000000 MetaHookPre LoadFile(./unique) -0.000000 MetaHookPre LoadFile(./utils) -0.000000 MetaHookPre LoadFile(./utils-commands) -0.000000 MetaHookPre LoadFile(./utils.bro) -0.000000 MetaHookPre LoadFile(./variance) -0.000000 MetaHookPre LoadFile(./weird) -0.000000 MetaHookPre LoadFile(.<...>/add-geodata) -0.000000 MetaHookPre LoadFile(.<...>/ascii) -0.000000 MetaHookPre LoadFile(.<...>/benchmark) -0.000000 MetaHookPre LoadFile(.<...>/binary) -0.000000 MetaHookPre LoadFile(.<...>/drop) -0.000000 MetaHookPre LoadFile(.<...>/email_admin) -0.000000 MetaHookPre LoadFile(.<...>/hostnames) -0.000000 MetaHookPre LoadFile(.<...>/none) -0.000000 MetaHookPre LoadFile(.<...>/page) -0.000000 MetaHookPre LoadFile(.<...>/pp-alarms) -0.000000 MetaHookPre LoadFile(.<...>/raw) -0.000000 MetaHookPre LoadFile(.<...>/sqlite) -0.000000 MetaHookPre LoadFile(<...>/__load__.bro) -0.000000 MetaHookPre LoadFile(<...>/__preload__.bro) -0.000000 MetaHookPre LoadFile(<...>/hooks.bro) -0.000000 MetaHookPre LoadFile(base/bif) -0.000000 MetaHookPre LoadFile(base/init-default.bro) -0.000000 MetaHookPre LoadFile(base<...>/Bro_KRB.types.bif) -0.000000 MetaHookPre LoadFile(base<...>/Bro_SNMP.types.bif) -0.000000 MetaHookPre LoadFile(base<...>/active-http) -0.000000 MetaHookPre LoadFile(base<...>/addrs) -0.000000 MetaHookPre LoadFile(base<...>/analyzer) -0.000000 MetaHookPre LoadFile(base<...>/analyzer.bif) -0.000000 MetaHookPre LoadFile(base<...>/bro.bif) -0.000000 MetaHookPre LoadFile(base<...>/broker) -0.000000 MetaHookPre LoadFile(base<...>/cluster) -0.000000 MetaHookPre LoadFile(base<...>/comm.bif) -0.000000 MetaHookPre LoadFile(base<...>/communication) -0.000000 MetaHookPre LoadFile(base<...>/conn) -0.000000 MetaHookPre LoadFile(base<...>/conn-ids) -0.000000 MetaHookPre LoadFile(base<...>/const.bif.bro) -0.000000 MetaHookPre LoadFile(base<...>/control) -0.000000 MetaHookPre LoadFile(base<...>/data.bif) -0.000000 MetaHookPre LoadFile(base<...>/dce-rpc) -0.000000 MetaHookPre LoadFile(base<...>/dhcp) -0.000000 MetaHookPre LoadFile(base<...>/dir) -0.000000 MetaHookPre LoadFile(base<...>/directions-and-hosts) -0.000000 MetaHookPre LoadFile(base<...>/dnp3) -0.000000 MetaHookPre LoadFile(base<...>/dns) -0.000000 MetaHookPre LoadFile(base<...>/dpd) -0.000000 MetaHookPre LoadFile(base<...>/email) -0.000000 MetaHookPre LoadFile(base<...>/event.bif) -0.000000 MetaHookPre LoadFile(base<...>/exec) -0.000000 MetaHookPre LoadFile(base<...>/extract) -0.000000 MetaHookPre LoadFile(base<...>/file_analysis.bif) -0.000000 MetaHookPre LoadFile(base<...>/files) -0.000000 MetaHookPre LoadFile(base<...>/find-checksum-offloading) -0.000000 MetaHookPre LoadFile(base<...>/find-filtered-trace) -0.000000 MetaHookPre LoadFile(base<...>/ftp) -0.000000 MetaHookPre LoadFile(base<...>/geoip-distance) -0.000000 MetaHookPre LoadFile(base<...>/hash) -0.000000 MetaHookPre LoadFile(base<...>/http) -0.000000 MetaHookPre LoadFile(base<...>/imap) -0.000000 MetaHookPre LoadFile(base<...>/input) -0.000000 MetaHookPre LoadFile(base<...>/input.bif) -0.000000 MetaHookPre LoadFile(base<...>/intel) -0.000000 MetaHookPre LoadFile(base<...>/irc) -0.000000 MetaHookPre LoadFile(base<...>/json) -0.000000 MetaHookPre LoadFile(base<...>/krb) -0.000000 MetaHookPre LoadFile(base<...>/logging) -0.000000 MetaHookPre LoadFile(base<...>/logging.bif) -0.000000 MetaHookPre LoadFile(base<...>/main) -0.000000 MetaHookPre LoadFile(base<...>/messaging.bif) -0.000000 MetaHookPre LoadFile(base<...>/modbus) -0.000000 MetaHookPre LoadFile(base<...>/mysql) -0.000000 MetaHookPre LoadFile(base<...>/netcontrol) -0.000000 MetaHookPre LoadFile(base<...>/notice) -0.000000 MetaHookPre LoadFile(base<...>/ntlm) -0.000000 MetaHookPre LoadFile(base<...>/numbers) -0.000000 MetaHookPre LoadFile(base<...>/openflow) -0.000000 MetaHookPre LoadFile(base<...>/packet-filter) -0.000000 MetaHookPre LoadFile(base<...>/paths) -0.000000 MetaHookPre LoadFile(base<...>/patterns) -0.000000 MetaHookPre LoadFile(base<...>/pe) -0.000000 MetaHookPre LoadFile(base<...>/plugins) -0.000000 MetaHookPre LoadFile(base<...>/pop3) -0.000000 MetaHookPre LoadFile(base<...>/queue) -0.000000 MetaHookPre LoadFile(base<...>/radius) -0.000000 MetaHookPre LoadFile(base<...>/rdp) -0.000000 MetaHookPre LoadFile(base<...>/reporter) -0.000000 MetaHookPre LoadFile(base<...>/reporter.bif) -0.000000 MetaHookPre LoadFile(base<...>/rfb) -0.000000 MetaHookPre LoadFile(base<...>/signatures) -0.000000 MetaHookPre LoadFile(base<...>/sip) -0.000000 MetaHookPre LoadFile(base<...>/site) -0.000000 MetaHookPre LoadFile(base<...>/smb) -0.000000 MetaHookPre LoadFile(base<...>/smtp) -0.000000 MetaHookPre LoadFile(base<...>/snmp) -0.000000 MetaHookPre LoadFile(base<...>/socks) -0.000000 MetaHookPre LoadFile(base<...>/software) -0.000000 MetaHookPre LoadFile(base<...>/ssh) -0.000000 MetaHookPre LoadFile(base<...>/ssl) -0.000000 MetaHookPre LoadFile(base<...>/store.bif) -0.000000 MetaHookPre LoadFile(base<...>/strings) -0.000000 MetaHookPre LoadFile(base<...>/strings.bif) -0.000000 MetaHookPre LoadFile(base<...>/sumstats) -0.000000 MetaHookPre LoadFile(base<...>/syslog) -0.000000 MetaHookPre LoadFile(base<...>/thresholds) -0.000000 MetaHookPre LoadFile(base<...>/time) -0.000000 MetaHookPre LoadFile(base<...>/tunnels) -0.000000 MetaHookPre LoadFile(base<...>/types.bif) -0.000000 MetaHookPre LoadFile(base<...>/unified2) -0.000000 MetaHookPre LoadFile(base<...>/urls) -0.000000 MetaHookPre LoadFile(base<...>/utils) -0.000000 MetaHookPre LoadFile(base<...>/version) -0.000000 MetaHookPre LoadFile(base<...>/weird) -0.000000 MetaHookPre LoadFile(base<...>/x509) -0.000000 MetaHookPre LoadFile(base<...>/xmpp) +0.000000 MetaHookPre LoadFile(0, ..<...>/main.bro) +0.000000 MetaHookPre LoadFile(0, ..<...>/plugin.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ARP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNS.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_File.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Finger.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IRC.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Ident.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_PE.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_POP3.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RFB.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RPC.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SIP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/acld.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/add-geodata.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/addrs.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/analyzer.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/ascii.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/average.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/benchmark.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/binary.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/bloom-filter.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/bro.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/broker.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/broxygen.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/cardinality-counter.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/catch-and-release.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/comm.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/const-dos-error.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/const-nt-status.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/const.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/consts.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/contents.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/ct-list.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/data.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/dcc-send.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/debug.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/drop.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/email_admin.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/entities.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/event.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/exec.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/file_analysis.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/files.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/gridftp.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/hll_unique.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/hooks.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/hostnames.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/inactivity.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/info.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/init.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/input.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/input.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/last.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/log.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/logging.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/magic) +0.000000 MetaHookPre LoadFile(0, .<...>/main.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/max.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/messaging.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/min.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/mozilla-ca-list.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/netstats.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/non-cluster.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/none.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/openflow.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/packetfilter.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/page.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/patterns.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/pcap.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/plugin.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/plugins) +0.000000 MetaHookPre LoadFile(0, .<...>/polling.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/postprocessors) +0.000000 MetaHookPre LoadFile(0, .<...>/pp-alarms.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/raw.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/reporter.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/ryu.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/sample.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/scp.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/sftp.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/shunt.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/site.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/sqlite.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/stats.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/std-dev.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/store.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/store.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/strings.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/sum.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/thresholds.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/top-k.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/topk.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/types.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/unique.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/utils-commands.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/utils.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/variance.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/weird.bro) +0.000000 MetaHookPre LoadFile(0, <...>/__load__.bro) +0.000000 MetaHookPre LoadFile(0, <...>/__preload__.bro) +0.000000 MetaHookPre LoadFile(0, <...>/hooks.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/Bro_KRB.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/active-http.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/addrs.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/analyzer) +0.000000 MetaHookPre LoadFile(0, base<...>/analyzer.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/bif) +0.000000 MetaHookPre LoadFile(0, base<...>/bro.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/broker) +0.000000 MetaHookPre LoadFile(0, base<...>/cluster) +0.000000 MetaHookPre LoadFile(0, base<...>/comm.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/communication) +0.000000 MetaHookPre LoadFile(0, base<...>/conn) +0.000000 MetaHookPre LoadFile(0, base<...>/conn-ids.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/const.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/control) +0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc) +0.000000 MetaHookPre LoadFile(0, base<...>/dhcp) +0.000000 MetaHookPre LoadFile(0, base<...>/dir.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/dnp3) +0.000000 MetaHookPre LoadFile(0, base<...>/dns) +0.000000 MetaHookPre LoadFile(0, base<...>/dpd) +0.000000 MetaHookPre LoadFile(0, base<...>/email.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/event.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/exec.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/extract) +0.000000 MetaHookPre LoadFile(0, base<...>/file_analysis.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/files) +0.000000 MetaHookPre LoadFile(0, base<...>/files.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/find-checksum-offloading.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/find-filtered-trace.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/ftp) +0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/hash) +0.000000 MetaHookPre LoadFile(0, base<...>/http) +0.000000 MetaHookPre LoadFile(0, base<...>/imap) +0.000000 MetaHookPre LoadFile(0, base<...>/init-default.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/input) +0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/intel) +0.000000 MetaHookPre LoadFile(0, base<...>/irc) +0.000000 MetaHookPre LoadFile(0, base<...>/json.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/krb) +0.000000 MetaHookPre LoadFile(0, base<...>/logging) +0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/main.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/modbus) +0.000000 MetaHookPre LoadFile(0, base<...>/mysql) +0.000000 MetaHookPre LoadFile(0, base<...>/netcontrol) +0.000000 MetaHookPre LoadFile(0, base<...>/notice) +0.000000 MetaHookPre LoadFile(0, base<...>/ntlm) +0.000000 MetaHookPre LoadFile(0, base<...>/numbers.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/openflow) +0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter) +0.000000 MetaHookPre LoadFile(0, base<...>/paths.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/patterns.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/pe) +0.000000 MetaHookPre LoadFile(0, base<...>/plugins) +0.000000 MetaHookPre LoadFile(0, base<...>/pop3) +0.000000 MetaHookPre LoadFile(0, base<...>/queue.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/radius) +0.000000 MetaHookPre LoadFile(0, base<...>/rdp) +0.000000 MetaHookPre LoadFile(0, base<...>/reporter) +0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/rfb) +0.000000 MetaHookPre LoadFile(0, base<...>/signatures) +0.000000 MetaHookPre LoadFile(0, base<...>/sip) +0.000000 MetaHookPre LoadFile(0, base<...>/site.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/smb) +0.000000 MetaHookPre LoadFile(0, base<...>/smtp) +0.000000 MetaHookPre LoadFile(0, base<...>/snmp) +0.000000 MetaHookPre LoadFile(0, base<...>/socks) +0.000000 MetaHookPre LoadFile(0, base<...>/software) +0.000000 MetaHookPre LoadFile(0, base<...>/ssh) +0.000000 MetaHookPre LoadFile(0, base<...>/ssl) +0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/strings.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/sumstats) +0.000000 MetaHookPre LoadFile(0, base<...>/syslog) +0.000000 MetaHookPre LoadFile(0, base<...>/thresholds.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/time.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/tunnels) +0.000000 MetaHookPre LoadFile(0, base<...>/types.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/unified2) +0.000000 MetaHookPre LoadFile(0, base<...>/urls.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/utils.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/version.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/weird.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/x509) +0.000000 MetaHookPre LoadFile(0, base<...>/xmpp) +0.000000 MetaHookPre LoadFile(1, .<...>/archive.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/audio.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/dpd.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/font.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/general.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/image.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/libmagic.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/msoffice.sig) +0.000000 MetaHookPre LoadFile(1, .<...>/video.sig) 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) @@ -1715,7 +1725,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1845,7 +1855,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -1881,13 +1891,314 @@ 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookDrainEvents -0.000000 | HookLoadFile ..<...>/bro -0.000000 | HookLoadFile .<...>/bro -0.000000 | HookLoadFile <...>/bro +0.000000 | HookLoadFile ..<...>/main.bro +0.000000 | HookLoadFile ..<...>/plugin.bro +0.000000 | HookLoadFile .<...>/Bro_ARP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_AsciiReader.ascii.bif.bro +0.000000 | HookLoadFile .<...>/Bro_AsciiWriter.ascii.bif.bro +0.000000 | HookLoadFile .<...>/Bro_BackDoor.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_BenchmarkReader.benchmark.bif.bro +0.000000 | HookLoadFile .<...>/Bro_BinaryReader.binary.bif.bro +0.000000 | HookLoadFile .<...>/Bro_BitTorrent.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_ConnSize.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_ConnSize.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.consts.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DHCP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DNP3.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_DNS.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FTP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FTP.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_File.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FileEntropy.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FileExtract.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FileExtract.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_FileHash.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Finger.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_GSSAPI.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_GTPv1.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Gnutella.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_HTTP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_HTTP.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_ICMP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_IMAP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_IRC.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Ident.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_InterConn.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_KRB.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_KRB.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Login.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Login.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NTP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NetBIOS.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NetBIOS.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NoneWriter.none.bif.bro +0.000000 | HookLoadFile .<...>/Bro_PE.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_POP3.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RADIUS.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RDP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RDP.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RFB.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RPC.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_RawReader.raw.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SIP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.consts.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_check_directory.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_close.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_create_directory.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_echo.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_negotiate.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_query_information.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_read_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_write_andx.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_close.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_create.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_negotiate.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMB.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMTP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SMTP.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SNMP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SNMP.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SOCKS.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SQLiteReader.sqlite.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SQLiteWriter.sqlite.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSH.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSH.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSL.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSL.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SSL.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_SteppingStone.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Syslog.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_TCP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_TCP.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Teredo.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro +0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_X509.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_XMPP.events.bif.bro +0.000000 | HookLoadFile .<...>/acld.bro +0.000000 | HookLoadFile .<...>/add-geodata.bro +0.000000 | HookLoadFile .<...>/addrs.bro +0.000000 | HookLoadFile .<...>/analyzer.bif.bro +0.000000 | HookLoadFile .<...>/archive.sig +0.000000 | HookLoadFile .<...>/ascii.bro +0.000000 | HookLoadFile .<...>/audio.sig +0.000000 | HookLoadFile .<...>/average.bro +0.000000 | HookLoadFile .<...>/benchmark.bro +0.000000 | HookLoadFile .<...>/binary.bro +0.000000 | HookLoadFile .<...>/bloom-filter.bif.bro +0.000000 | HookLoadFile .<...>/bro.bif.bro +0.000000 | HookLoadFile .<...>/broker.bro +0.000000 | HookLoadFile .<...>/broxygen.bif.bro +0.000000 | HookLoadFile .<...>/cardinality-counter.bif.bro +0.000000 | HookLoadFile .<...>/catch-and-release.bro +0.000000 | HookLoadFile .<...>/comm.bif.bro +0.000000 | HookLoadFile .<...>/const-dos-error.bro +0.000000 | HookLoadFile .<...>/const-nt-status.bro +0.000000 | HookLoadFile .<...>/const.bif.bro +0.000000 | HookLoadFile .<...>/consts.bro +0.000000 | HookLoadFile .<...>/contents.bro +0.000000 | HookLoadFile .<...>/ct-list.bro +0.000000 | HookLoadFile .<...>/data.bif.bro +0.000000 | HookLoadFile .<...>/dcc-send.bro +0.000000 | HookLoadFile .<...>/debug.bro +0.000000 | HookLoadFile .<...>/dpd.sig +0.000000 | HookLoadFile .<...>/drop.bro +0.000000 | HookLoadFile .<...>/email_admin.bro +0.000000 | HookLoadFile .<...>/entities.bro +0.000000 | HookLoadFile .<...>/event.bif.bro +0.000000 | HookLoadFile .<...>/exec.bro +0.000000 | HookLoadFile .<...>/file_analysis.bif.bro +0.000000 | HookLoadFile .<...>/files.bro +0.000000 | HookLoadFile .<...>/font.sig +0.000000 | HookLoadFile .<...>/general.sig +0.000000 | HookLoadFile .<...>/gridftp.bro +0.000000 | HookLoadFile .<...>/hll_unique.bro +0.000000 | HookLoadFile .<...>/hooks.bif.bro +0.000000 | HookLoadFile .<...>/hostnames.bro +0.000000 | HookLoadFile .<...>/image.sig +0.000000 | HookLoadFile .<...>/inactivity.bro +0.000000 | HookLoadFile .<...>/info.bro +0.000000 | HookLoadFile .<...>/init.bro +0.000000 | HookLoadFile .<...>/input.bif.bro +0.000000 | HookLoadFile .<...>/input.bro +0.000000 | HookLoadFile .<...>/last.bro +0.000000 | HookLoadFile .<...>/libmagic.sig +0.000000 | HookLoadFile .<...>/log.bro +0.000000 | HookLoadFile .<...>/logging.bif.bro +0.000000 | HookLoadFile .<...>/magic +0.000000 | HookLoadFile .<...>/main.bro +0.000000 | HookLoadFile .<...>/max.bro +0.000000 | HookLoadFile .<...>/messaging.bif.bro +0.000000 | HookLoadFile .<...>/min.bro +0.000000 | HookLoadFile .<...>/mozilla-ca-list.bro +0.000000 | HookLoadFile .<...>/msoffice.sig +0.000000 | HookLoadFile .<...>/netstats.bro +0.000000 | HookLoadFile .<...>/non-cluster.bro +0.000000 | HookLoadFile .<...>/none.bro +0.000000 | HookLoadFile .<...>/openflow.bro +0.000000 | HookLoadFile .<...>/packetfilter.bro +0.000000 | HookLoadFile .<...>/page.bro +0.000000 | HookLoadFile .<...>/patterns.bro +0.000000 | HookLoadFile .<...>/pcap.bif.bro +0.000000 | HookLoadFile .<...>/plugin.bro +0.000000 | HookLoadFile .<...>/plugins +0.000000 | HookLoadFile .<...>/polling.bro +0.000000 | HookLoadFile .<...>/postprocessors +0.000000 | HookLoadFile .<...>/pp-alarms.bro +0.000000 | HookLoadFile .<...>/raw.bro +0.000000 | HookLoadFile .<...>/reporter.bif.bro +0.000000 | HookLoadFile .<...>/ryu.bro +0.000000 | HookLoadFile .<...>/sample.bro +0.000000 | HookLoadFile .<...>/scp.bro +0.000000 | HookLoadFile .<...>/sftp.bro +0.000000 | HookLoadFile .<...>/shunt.bro +0.000000 | HookLoadFile .<...>/site.bro +0.000000 | HookLoadFile .<...>/sqlite.bro +0.000000 | HookLoadFile .<...>/stats.bif.bro +0.000000 | HookLoadFile .<...>/std-dev.bro +0.000000 | HookLoadFile .<...>/store.bif.bro +0.000000 | HookLoadFile .<...>/store.bro +0.000000 | HookLoadFile .<...>/strings.bif.bro +0.000000 | HookLoadFile .<...>/sum.bro +0.000000 | HookLoadFile .<...>/thresholds.bro +0.000000 | HookLoadFile .<...>/top-k.bif.bro +0.000000 | HookLoadFile .<...>/topk.bro +0.000000 | HookLoadFile .<...>/types.bif.bro +0.000000 | HookLoadFile .<...>/types.bro +0.000000 | HookLoadFile .<...>/unique.bro +0.000000 | HookLoadFile .<...>/utils-commands.bro +0.000000 | HookLoadFile .<...>/utils.bro +0.000000 | HookLoadFile .<...>/variance.bro +0.000000 | HookLoadFile .<...>/video.sig +0.000000 | HookLoadFile .<...>/weird.bro +0.000000 | HookLoadFile <...>/__load__.bro +0.000000 | HookLoadFile <...>/__preload__.bro +0.000000 | HookLoadFile <...>/hooks.bro +0.000000 | HookLoadFile base<...>/Bro_KRB.types.bif.bro +0.000000 | HookLoadFile base<...>/Bro_SNMP.types.bif.bro +0.000000 | HookLoadFile base<...>/active-http.bro +0.000000 | HookLoadFile base<...>/addrs.bro +0.000000 | HookLoadFile base<...>/analyzer +0.000000 | HookLoadFile base<...>/analyzer.bif.bro 0.000000 | HookLoadFile base<...>/bif -0.000000 | HookLoadFile base<...>/bro +0.000000 | HookLoadFile base<...>/bro.bif.bro +0.000000 | HookLoadFile base<...>/broker +0.000000 | HookLoadFile base<...>/cluster +0.000000 | HookLoadFile base<...>/comm.bif.bro +0.000000 | HookLoadFile base<...>/communication +0.000000 | HookLoadFile base<...>/conn +0.000000 | HookLoadFile base<...>/conn-ids.bro +0.000000 | HookLoadFile base<...>/const.bif.bro +0.000000 | HookLoadFile base<...>/control +0.000000 | HookLoadFile base<...>/data.bif.bro +0.000000 | HookLoadFile base<...>/dce-rpc +0.000000 | HookLoadFile base<...>/dhcp +0.000000 | HookLoadFile base<...>/dir.bro +0.000000 | HookLoadFile base<...>/directions-and-hosts.bro +0.000000 | HookLoadFile base<...>/dnp3 +0.000000 | HookLoadFile base<...>/dns +0.000000 | HookLoadFile base<...>/dpd +0.000000 | HookLoadFile base<...>/email.bro +0.000000 | HookLoadFile base<...>/event.bif.bro +0.000000 | HookLoadFile base<...>/exec.bro +0.000000 | HookLoadFile base<...>/extract +0.000000 | HookLoadFile base<...>/file_analysis.bif.bro +0.000000 | HookLoadFile base<...>/files +0.000000 | HookLoadFile base<...>/files.bro +0.000000 | HookLoadFile base<...>/find-checksum-offloading.bro +0.000000 | HookLoadFile base<...>/find-filtered-trace.bro +0.000000 | HookLoadFile base<...>/ftp +0.000000 | HookLoadFile base<...>/geoip-distance.bro +0.000000 | HookLoadFile base<...>/hash +0.000000 | HookLoadFile base<...>/http +0.000000 | HookLoadFile base<...>/imap +0.000000 | HookLoadFile base<...>/init-default.bro +0.000000 | HookLoadFile base<...>/input +0.000000 | HookLoadFile base<...>/input.bif.bro +0.000000 | HookLoadFile base<...>/intel +0.000000 | HookLoadFile base<...>/irc +0.000000 | HookLoadFile base<...>/json.bro +0.000000 | HookLoadFile base<...>/krb +0.000000 | HookLoadFile base<...>/logging +0.000000 | HookLoadFile base<...>/logging.bif.bro +0.000000 | HookLoadFile base<...>/main.bro +0.000000 | HookLoadFile base<...>/messaging.bif.bro +0.000000 | HookLoadFile base<...>/modbus +0.000000 | HookLoadFile base<...>/mysql +0.000000 | HookLoadFile base<...>/netcontrol +0.000000 | HookLoadFile base<...>/notice +0.000000 | HookLoadFile base<...>/ntlm +0.000000 | HookLoadFile base<...>/numbers.bro +0.000000 | HookLoadFile base<...>/openflow +0.000000 | HookLoadFile base<...>/packet-filter +0.000000 | HookLoadFile base<...>/paths.bro +0.000000 | HookLoadFile base<...>/patterns.bro +0.000000 | HookLoadFile base<...>/pe +0.000000 | HookLoadFile base<...>/plugins +0.000000 | HookLoadFile base<...>/pop3 +0.000000 | HookLoadFile base<...>/queue.bro +0.000000 | HookLoadFile base<...>/radius +0.000000 | HookLoadFile base<...>/rdp +0.000000 | HookLoadFile base<...>/reporter +0.000000 | HookLoadFile base<...>/reporter.bif.bro +0.000000 | HookLoadFile base<...>/rfb +0.000000 | HookLoadFile base<...>/signatures +0.000000 | HookLoadFile base<...>/sip +0.000000 | HookLoadFile base<...>/site.bro +0.000000 | HookLoadFile base<...>/smb +0.000000 | HookLoadFile base<...>/smtp +0.000000 | HookLoadFile base<...>/snmp +0.000000 | HookLoadFile base<...>/socks +0.000000 | HookLoadFile base<...>/software +0.000000 | HookLoadFile base<...>/ssh +0.000000 | HookLoadFile base<...>/ssl +0.000000 | HookLoadFile base<...>/store.bif.bro +0.000000 | HookLoadFile base<...>/strings.bif.bro +0.000000 | HookLoadFile base<...>/strings.bro +0.000000 | HookLoadFile base<...>/sumstats +0.000000 | HookLoadFile base<...>/syslog +0.000000 | HookLoadFile base<...>/thresholds.bro +0.000000 | HookLoadFile base<...>/time.bro +0.000000 | HookLoadFile base<...>/tunnels +0.000000 | HookLoadFile base<...>/types.bif.bro +0.000000 | HookLoadFile base<...>/unified2 +0.000000 | HookLoadFile base<...>/urls.bro +0.000000 | HookLoadFile base<...>/utils.bro +0.000000 | HookLoadFile base<...>/version.bro +0.000000 | HookLoadFile base<...>/weird.bro +0.000000 | HookLoadFile base<...>/x509 +0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1498500921.180040, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc index d636e12b7c..c5b8f4e981 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc @@ -46,10 +46,10 @@ static void describe_hook_args(const plugin::HookArgumentList& args, ODesc* d) } } -int Plugin::HookLoadFile(const std::string& file, const std::string& ext) +int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) { - fprintf(stderr, "%.6f %-15s %s/%s\n", network_time, "| HookLoadFile", - file.c_str(), ext.c_str()); + fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLoadFile", + file.c_str(), resolved.c_str()); return -1; } diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h index 64227c0660..1192304976 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.h +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h @@ -10,7 +10,7 @@ namespace Demo_Hooks { class Plugin : public ::plugin::Plugin { protected: - int HookLoadFile(const std::string& file, const std::string& ext) override; + int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override; std::pair HookCallFunction(const Func* func, Frame* frame, val_list* args) override; bool HookQueueEvent(Event* event) override; void HookDrainEvents() override; From b8524371264f4baa9942a5b4f5c475e200f81d6f Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 16 Nov 2017 12:45:11 -0800 Subject: [PATCH 124/147] Add reporter hook. The hook being added is: bool HookReporter(const std::string& prefix, const EventHandlerPtr event, const Connection* conn, const val_list* addl, bool location, const Location* location1, const Location* location2, bool time, const std::string& buffer) override; This hook gives access to basically all information that is available in the function in Reporter.cc that performs the logging. The hook is called each time when anything passes through the reporter in the cases in which an event usually would be called. This includes weirds. The hook can return false to prevent the normal reporter events from being raised. --- src/Reporter.cc | 21 ++++++++- src/plugin/Manager.cc | 46 +++++++++++++++++++ src/plugin/Manager.h | 33 +++++++++++++ src/plugin/Plugin.cc | 18 ++++++++ src/plugin/Plugin.h | 42 ++++++++++++++++- .../Baseline/plugins.reporter-hook/output | 10 ++++ .../plugins.reporter-hook/reporter.log | 13 ++++++ .../reporter-hook-plugin/.btest-ignore | 0 .../reporter-hook-plugin/src/Plugin.cc | 43 +++++++++++++++++ .../plugins/reporter-hook-plugin/src/Plugin.h | 27 +++++++++++ testing/btest/plugins/reporter-hook.bro | 24 ++++++++++ 11 files changed, 275 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/plugins.reporter-hook/output create mode 100644 testing/btest/Baseline/plugins.reporter-hook/reporter.log create mode 100644 testing/btest/plugins/reporter-hook-plugin/.btest-ignore create mode 100644 testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc create mode 100644 testing/btest/plugins/reporter-hook-plugin/src/Plugin.h create mode 100644 testing/btest/plugins/reporter-hook.bro diff --git a/src/Reporter.cc b/src/Reporter.cc index 4823b33ef3..eb89a29d30 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -10,6 +10,8 @@ #include "NetVar.h" #include "Net.h" #include "Conn.h" +#include "plugin/Plugin.h" +#include "plugin/Manager.h" #ifdef SYSLOG_INT extern "C" { @@ -323,7 +325,24 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, // buffer size above. safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix); - if ( event && via_events && ! in_error_handler ) + bool raise_event = true; + + if ( via_events && ! in_error_handler ) + { + if ( locations.size() ) + { + auto locs = locations.back(); + raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER, + HookReporter(prefix, event, conn, addl, location, + locs.first, locs.second, time, buffer), true); + } + else + raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER, + HookReporter(prefix, event, conn, addl, location, + nullptr, nullptr, time, buffer), true); + } + + if ( raise_event && event && via_events && ! in_error_handler ) { val_list* vl = new val_list; diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index a6c564d4f2..5e48be80f5 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -853,6 +853,52 @@ bool Manager::HookLogWrite(const std::string& writer, return result; } +bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& message) + + { + HookArgumentList args; + + if ( HavePluginForHook(META_HOOK_PRE) ) + { + args.push_back(HookArgument(prefix)); + args.push_back(HookArgument(conn)); + args.push_back(HookArgument(addl)); + args.push_back(HookArgument(location1)); + args.push_back(HookArgument(location2)); + args.push_back(HookArgument(location)); + args.push_back(HookArgument(time)); + args.push_back(HookArgument(message)); + MetaHookPre(HOOK_REPORTER, args); + } + + hook_list* l = hooks[HOOK_REPORTER]; + + bool result = true; + + if ( l ) + { + for ( hook_list::iterator i = l->begin(); i != l->end(); ++i ) + { + Plugin* p = (*i).second; + + if ( ! p->HookReporter(prefix, event, conn, addl, location, location1, location2, time, message) ) + { + result = false; + break; + } + } + } + + if ( HavePluginForHook(META_HOOK_POST) ) + MetaHookPost(HOOK_REPORTER, args, HookArgument(result)); + + return result; + } + + void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const { hook_list* l = hooks[HOOK_CALL_FUNCTION]; diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 9ece86bfed..1fdc588c7b 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -355,6 +355,39 @@ public: int num_fields, const threading::Field* const* fields, threading::Value** vals) const; + /** + * Hook into reporting. This method will be called for each reporter call + * made; this includes weirds. The method cannot manipulate the data at + * the current time; however it is possible to prevent script-side events + * from being called by returning false. + * + * @param prefix The prefix passed by the reporter framework + * + * @param event The event to be called + * + * @param conn The associated connection + * + * @param addl Additional Bro values; typically will be passed to the event + * by the reporter framework. + * + * @param location True if event expects location information + * + * @param location1 First location + * + * @param location2 Second location + * + * @param time True if event expects time information + * + * @param message Message supplied by the reporter framework + * + * @return true if event should be called by the reporter framework, false + * if the event call should be skipped + */ + bool HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& message); + /** * Internal method that registers a freshly instantiated plugin with * the manager. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index f54749f837..21e5401e48 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -208,6 +208,16 @@ void HookArgument::Describe(ODesc* d) const d->Add("}"); } break; + + case LOCATION: + if ( arg.loc ) + { + arg.loc->Describe(d); + } + else + { + d->Add(""); + } } } @@ -393,6 +403,14 @@ bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, return true; } +bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& message) + { + return true; + } + void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args) { } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index c3f231bb93..78a4b5abe5 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -48,6 +48,7 @@ enum HookType { HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree HOOK_LOG_INIT, //< Activates Plugin::HookLogInit HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite + HOOK_REPORTER, //< Activates Plugin::HookReporter // Meta hooks. META_HOOK_PRE, //< Activates Plugin::MetaHookPre(). @@ -172,7 +173,7 @@ public: */ enum Type { BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, - VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS + VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION }; /** @@ -250,6 +251,11 @@ public: */ explicit HookArgument(const std::pair fpair) { type = THREAD_FIELDS; tfields = fpair; } + /** + * Constructor with a location argument. + */ + explicit HookArgument(const Location* location) { type = LOCATION; arg.loc = location; } + /** * Returns the value for a boolen argument. The argument's type must * match accordingly. @@ -360,6 +366,7 @@ private: const val_list* vals; const void* voidp; const logging::WriterBackend::WriterInfo* winfo; + const Location* loc; } arg; // Outside union because these have dtors. @@ -769,6 +776,39 @@ protected: const threading::Field* const* fields, threading::Value** vals); + /** + * Hook into reporting. This method will be called for each reporter call + * made; this includes weirds. The method cannot manipulate the data at + * the current time; however it is possible to prevent script-side events + * from being called by returning false. + * + * @param prefix The prefix passed by the reporter framework + * + * @param event The event to be called + * + * @param conn The associated connection + * + * @param addl Additional Bro values; typically will be passed to the event + * by the reporter framework. + * + * @param location True if event expects location information + * + * @param location1 First location + * + * @param location2 Second location + * + * @param time True if event expects time information + * + * @param message Message supplied by the reporter framework + * + * @return true if event should be called by the reporter framework, false + * if the event call should be skipped + */ + virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& message); + // Meta hooks. /** diff --git a/testing/btest/Baseline/plugins.reporter-hook/output b/testing/btest/Baseline/plugins.reporter-hook/output new file mode 100644 index 0000000000..e5ed573e67 --- /dev/null +++ b/testing/btest/Baseline/plugins.reporter-hook/output @@ -0,0 +1,10 @@ + | Hook Some Info <...>/reporter-hook.bro, line 16 + | Hook error An Error <...>/reporter-hook.bro, line 18 + | Hook error An Error that does not show up in the log <...>/reporter-hook.bro, line 19 + | Hook expression error field value missing [b$a] <...>/reporter-hook.bro, line 23 + | Hook warning A warning <...>/reporter-hook.bro, line 17 +<...>/reporter-hook.bro, line 16: Some Info +error in <...>/reporter-hook.bro, line 18: An Error +error in <...>/reporter-hook.bro, line 19: An Error that does not show up in the log +expression error in <...>/reporter-hook.bro, line 23: field value missing [b$a] +warning in <...>/reporter-hook.bro, line 17: A warning diff --git a/testing/btest/Baseline/plugins.reporter-hook/reporter.log b/testing/btest/Baseline/plugins.reporter-hook/reporter.log new file mode 100644 index 0000000000..ab70b0c17a --- /dev/null +++ b/testing/btest/Baseline/plugins.reporter-hook/reporter.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path reporter +#open 2017-07-26-17-58-52 +#fields ts level message location +#types time enum string string +0.000000 Reporter::INFO Some Info /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 16 +0.000000 Reporter::WARNING A warning /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 17 +0.000000 Reporter::ERROR An Error /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 18 +0.000000 Reporter::ERROR field value missing [b$a] /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 23 +#close 2017-07-26-17-58-52 diff --git a/testing/btest/plugins/reporter-hook-plugin/.btest-ignore b/testing/btest/plugins/reporter-hook-plugin/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc new file mode 100644 index 0000000000..9c8eee6ca8 --- /dev/null +++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc @@ -0,0 +1,43 @@ + +#include "Plugin.h" + +#include +#include +#include +#include + +namespace plugin { namespace Reporter_Hook { Plugin plugin; } } + +using namespace plugin::Reporter_Hook; + +plugin::Configuration Plugin::Configure() + { + EnableHook(HOOK_REPORTER); + + plugin::Configuration config; + config.name = "Reporter::Hook"; + config.description = "Exercise Reporter Hook"; + config.version.major = 1; + config.version.minor = 0; + return config; + } + +bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& message) + { + ODesc d; + if ( location1 ) + location1->Describe(&d); + if ( location2 ) + location2->Describe(&d); + + fprintf(stderr, " | Hook %s %s %s\n", prefix.c_str(), message.c_str(), d.Description()); + + if ( message == "An Error that does not show up in the log" ) + return false; + + return true; + } + diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h new file mode 100644 index 0000000000..2e793aba08 --- /dev/null +++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h @@ -0,0 +1,27 @@ + +#ifndef BRO_PLUGIN_Reporter_Hook +#define BRO_PLUGIN_Reporter_Hook + +#include + +namespace plugin { +namespace Reporter_Hook { + +class Plugin : public ::plugin::Plugin +{ +protected: + bool HookReporter(const std::string& prefix, const EventHandlerPtr event, + const Connection* conn, const val_list* addl, bool location, + const Location* location1, const Location* location2, + bool time, const std::string& buffer) override; + + // Overridden from plugin::Plugin. + plugin::Configuration Configure() override; +}; + +extern Plugin plugin; + +} +} + +#endif diff --git a/testing/btest/plugins/reporter-hook.bro b/testing/btest/plugins/reporter-hook.bro new file mode 100644 index 0000000000..13e98fc76e --- /dev/null +++ b/testing/btest/plugins/reporter-hook.bro @@ -0,0 +1,24 @@ +# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Reporter Hook +# @TEST-EXEC: cp -r %DIR/reporter-hook-plugin/* . +# @TEST-EXEC: ./configure --bro-dist=${DIST} && make +# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Reporter::Hook" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log + +@load base/frameworks/reporter + +type TestType: record { + a: bool &optional; +}; + +event bro_init() + { + Reporter::info("Some Info"); + Reporter::warning("A warning"); + Reporter::error("An Error"); + Reporter::error("An Error that does not show up in the log"); + + # And just trigger a runtime problem. + local b = TestType(); + print b$a; + } From 395c26b8bee8f819351abf4b5c21cb3f8c8d0e02 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 Nov 2017 15:13:01 -0800 Subject: [PATCH 125/147] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index 154dd9f9b2..bc50a42297 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393 +Subproject commit bc50a42297db84a88f1a0730691918062de315f7 From 7139e30bedc9ff43e72a3726e8c7043f5b702a5f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 Nov 2017 15:27:04 -0800 Subject: [PATCH 126/147] Updating submodule(s). [nomail] --- CHANGES | 2 +- VERSION | 2 +- aux/broccoli | 2 +- aux/btest | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index e31bade741..910321247f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.5-342 | 2017-11-17 15:13:17 -0800 +2.5-343 | 2017-11-17 15:27:04 -0800 * Fix ASCII logging of very large values of type "double". Previously, the nonsensical "NAN.0" would be written to ASCII logs diff --git a/VERSION b/VERSION index 36492dfd1e..26514725b5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-342 +2.5-343 diff --git a/aux/broccoli b/aux/broccoli index 498e699b32..13fe5fba7e 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 498e699b3273b5c05a4275247e679a31567e71c8 +Subproject commit 13fe5fba7ebd314e6bf2bedbac465d4c3f2e4301 diff --git a/aux/btest b/aux/btest index bc50a42297..b3a5742b6b 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit bc50a42297db84a88f1a0730691918062de315f7 +Subproject commit b3a5742b6b04acdd851dba4e08723a568c4aa755 From 105cdb5aaf49fb767e45afe0f6bd6ec29f29cbd6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 20 Nov 2017 08:39:11 -0600 Subject: [PATCH 127/147] Add --build-type flag to configure wrapper. --- CMakeLists.txt | 2 ++ configure | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 990c09b611..31e2346dfe 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -246,6 +246,8 @@ endif () message( "\n====================| Bro Build Summary |=====================" "\n" + "\nBuild type: ${CMAKE_BUILD_TYPE}" + "\nBuild dir: ${CMAKE_BINARY_DIR}" "\nInstall prefix: ${CMAKE_INSTALL_PREFIX}" "\nBro Script Path: ${BRO_SCRIPT_INSTALL_PATH}" "\nDebug mode: ${ENABLE_DEBUG}" diff --git a/configure b/configure index b58dd84c6a..757dfc595b 100755 --- a/configure +++ b/configure @@ -18,6 +18,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]... Build Options: --builddir=DIR place build files in directory [build] + --build-type=TYPE set CMake build type [RelWithDebInfo]: + - Debug: optimizations off, debug symbols + flags + - MinSizeRel: size optimizations, debugging off + - Release: optimizations on, debugging off + - RelWithDebInfo: optimizations on, + debug symbols on, debug flags off --generator=GENERATOR CMake generator to use (see cmake --help) Installation Directories: @@ -34,7 +40,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --conf-files-dir=PATH config files installation directory [PREFIX/etc] Optional Features: - --enable-debug compile in debugging mode + --enable-debug compile in debugging mode (like --build-type=Debug) --enable-mobile-ipv6 analyze mobile IPv6 features defined by RFC 6275 --enable-perftools force use of Google perftools on non-Linux systems (automatically on when perftools is present on Linux) @@ -153,6 +159,13 @@ while [ $# -ne 0 ]; do --builddir=*) builddir=$optarg ;; + --build-type=*) + append_cache_entry CMAKE_BUILD_TYPE STRING $optarg + + if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then + append_cache_entry ENABLE_DEBUG BOOL true + fi + ;; --generator=*) CMakeGenerator="$optarg" ;; From 26dc94c31dec9cf32360456ea6e7ab4903ad30f6 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 20 Nov 2017 11:28:59 -0600 Subject: [PATCH 128/147] BIT-1827: fix error on initializing DNS w/ IPv6 nameserver. This just skips over IPv6 nameserver addresses for now and uses the first IPv4 one in the resolver config. Should be possible to support IPv6, but that may need more testing (e.g. need to make sure the code will be portable to various platforms). --- CHANGES | 6 ++++++ VERSION | 2 +- src/nb_dns.c | 49 +++++++++++++++++++++++++++++++------------------ 3 files changed, 38 insertions(+), 19 deletions(-) diff --git a/CHANGES b/CHANGES index 910321247f..98465b94d7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.5-345 | 2017-11-20 11:28:59 -0600 + + * BIT-1827: fix error on initializing DNS w/ IPv6 nameserver. (Corelight) + + * Add --build-type flag to configure wrapper. (Corelight) + 2.5-343 | 2017-11-17 15:27:04 -0800 * Fix ASCII logging of very large values of type "double". diff --git a/VERSION b/VERSION index 26514725b5..13eaeb1e39 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-343 +2.5-345 diff --git a/src/nb_dns.c b/src/nb_dns.c index 35059ab4f0..f239b4d401 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -131,27 +131,40 @@ nb_dns_init(char *errstr) free(nd); return (NULL); } - nd->s = socket(PF_INET, SOCK_DGRAM, 0); - if (nd->s < 0) { - snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s", - my_strerror(errno)); - free(nd); - return (NULL); - } - /* XXX should use resolver config */ - nd->server = _res.nsaddr_list[0]; + for ( int i = 0; i < _res.nscount; ++i ) + { + nd->server = _res.nsaddr_list[i]; - if (connect(nd->s, (struct sockaddr *)&nd->server, - sizeof(struct sockaddr)) < 0) { - snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s", - inet_ntoa(nd->server.sin_addr), my_strerror(errno)); - close(nd->s); - free(nd); - return (NULL); - } + /* XXX support IPv6 */ + if ( nd->server.sin_family != AF_INET ) + continue; - return (nd); + nd->s = socket(nd->server.sin_family, SOCK_DGRAM, 0); + + if ( nd->s < 0 ) + { + snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s", + my_strerror(errno)); + free(nd); + return (NULL); + } + + if ( connect(nd->s, (struct sockaddr *)&nd->server, + sizeof(struct sockaddr)) < 0 ) + { + snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s", + inet_ntoa(nd->server.sin_addr), my_strerror(errno)); + close(nd->s); + free(nd); + return (NULL); + } + + return (nd); + } + + snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config"); + return (NULL); } void From deced3795c53c2310c3115cd7c682613b2ba5fc7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 Nov 2017 11:30:55 -0600 Subject: [PATCH 129/147] Fix a nb_dns.c compile error (older OSs) due to C90 vs C99. --- CHANGES | 4 ++++ VERSION | 2 +- src/nb_dns.c | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 4758363876..f13c1e0fe3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-348 | 2017-11-21 11:30:55 -0600 + + * Fix a nb_dns.c compile error (older OSs) due to C90 vs C99. (Corelight) + 2.5-347 | 2017-11-20 14:00:37 -0600 * Fix and extend behavior of HookLoadFile. (Corelight) diff --git a/VERSION b/VERSION index a074771e18..ad68c02345 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-347 +2.5-348 diff --git a/src/nb_dns.c b/src/nb_dns.c index f239b4d401..be6ca66059 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -132,7 +132,9 @@ nb_dns_init(char *errstr) return (NULL); } - for ( int i = 0; i < _res.nscount; ++i ) + int i; + + for ( i = 0; i < _res.nscount; ++i ) { nd->server = _res.nsaddr_list[i]; From 577357d509cb6b961ac447fe420e784a2caa0152 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 28 Nov 2017 12:13:26 -0800 Subject: [PATCH 130/147] Small fixes and changes for the recent ssl-keyexchange-event merge. This commit fixes a few small issues. * server key exchange parameters are only parsed when a named curve is given. * I removed the ssl-verbose.bro and moved the functionality into the testcase. The information that we get with these events is likely irrelevant to the majority of Bro users; I do not think that we have to ship a script that uses them by default. A script like this would be something to publish via the Bro package manager instead; this is the approach that we have taken with a number of the recent SSL addition. * I marked the ssl_server_curve event as deprecated. More information is contained in the new ssl_ecdh_server_params event. This is an events that is probably seldomly (or never) directly used by anyone; I plan to completely remove it right after the 2.6 release. --- CHANGES | 15 +++ NEWS | 14 +++ VERSION | 2 +- scripts/base/protocols/ssl/main.bro | 2 +- scripts/test-all-policy.bro | 1 - src/analyzer/protocol/ssl/events.bif | 26 ++-- .../protocol/ssl/tls-handshake-analyzer.pac | 48 ++++---- .../protocol/ssl/tls-handshake-protocol.pac | 21 ++-- .../ssl-all.log | 0 .../base/protocols/ssl/keyexchange.test | 116 ++++++++++++++++++ .../policy/protocols/ssl/ssl-verbose.test | 9 -- 11 files changed, 201 insertions(+), 53 deletions(-) rename testing/btest/Baseline/{scripts.policy.protocols.ssl.ssl-verbose => scripts.base.protocols.ssl.keyexchange}/ssl-all.log (100%) create mode 100644 testing/btest/scripts/base/protocols/ssl/keyexchange.test delete mode 100644 testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test diff --git a/CHANGES b/CHANGES index 3d124b1c5a..c664bca820 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,19 @@ +2.5-358 | 2017-11-28 12:28:14 -0800 + + * Extend the TLS analyzer with several events containing cryptographic + parameters from the client and server key exchanges. + + The new events are: + + ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature, + ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms + + Since ssl_ecdh_server_params contains more information than the old + ssl_server_curve event, ssl_server_curve is now marked as deprecated. + + (Luke Valenta) + 2.5-352 | 2017-11-21 13:21:51 -0600 * Fix assignments to event arguments becoming visible to subsequent diff --git a/NEWS b/NEWS index 6d35a8978b..d25c0920cf 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,16 @@ New Functionality - The SSL scripts provide a new hook "ssl_finishing(c: connection)" to trigger actions after the handshake has concluded. +- New functionality has been added to the TLS parser, adding several + events. These events mostly extract information from the server and client + key exchange messages. The new events are: + + ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature, + ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms + + Since ssl_ecdh_server_params contains more information than the old + ssl_server_curve event, ssl_server_curve is now marked as deprecated. + Changed Functionality --------------------- @@ -34,6 +44,10 @@ Changed Functionality "application/x-x509-user-cert" for host certificates and "application/x-x509-ca-cert" for CA certificates. +- With the new ssl_ecdh_server_params event, the ssl_server_curve + event is considered deprecated and will be removed in a future + version of Bro. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 0ddfa81ebe..d05adf51f7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-352 +2.5-358 diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index f806449368..5a50d4a4c3 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -224,7 +224,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_ c$ssl$resumed = T; } -event ssl_server_curve(c: connection, curve: count) &priority=5 +event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5 { set_session(c); diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 804ae14d22..7c828241d0 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -101,7 +101,6 @@ @load protocols/ssl/validate-ocsp.bro @load protocols/ssl/validate-sct.bro @load protocols/ssl/weak-keys.bro -@load protocols/ssl/ssl-verbose.bro @load tuning/__load__.bro @load tuning/defaults/__load__.bro @load tuning/defaults/extracted_file_limits.bro diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index cad453844a..890f6da396 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -108,10 +108,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm -## ssl_extension_key_share +## ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params -## ssl_rsa_client_pms ssl_server_signature event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension @@ -182,6 +181,9 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ## curve: The curve. ## +## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params +## event. This event will be removed in a future version of Bro. +## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation @@ -189,11 +191,11 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature -event ssl_server_curve%(c: connection, curve: count%); +event ssl_server_curve%(c: connection, curve: count%) &deprecated; -## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event -## contains the server ECDH parameters, which are sent in the ServerKeyExchange -## message as defined in :rfc:`4492`. +## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve +## This event contains the named curve name and the server ECDH parameters contained +## in the ServerKeyExchange message as defined in :rfc:`4492`. ## ## c: The connection. ## @@ -207,7 +209,7 @@ event ssl_server_curve%(c: connection, curve: count%); event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains -## the server DH parameters, which are sent in the ServerKeyExchange message as +## the server DH parameters, contained in the ServerKeyExchange message as ## defined in :rfc:`5246`. ## ## c: The connection. @@ -225,14 +227,14 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event -## contains the server signature over the key exchange parameters, which is sent in +## contains the server signature over the key exchange parameters contained in ## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`. ## ## c: The connection. ## ## signed_params: A hash of the server params, with the signature appropriate to ## that hash applied. The private key corresponding to the certified -## public key in the server's Certificate message is used for signing. +## public key in the server's certificate message is used for signing. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms @@ -240,7 +242,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); event ssl_server_signature%(c: connection, signed_params: string%); ## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event -## contains the client ECDH public value, which is sent in the ClientKeyExchange +## contains the client ECDH public value contained in the ClientKeyExchange ## message as defined in :rfc:`4492`. ## ## c: The connection. @@ -253,7 +255,7 @@ event ssl_server_signature%(c: connection, signed_params: string%); event ssl_ecdh_client_params%(c: connection, point: string%); ## Generated if a client uses a DH-anon or DHE cipher suite. This event contains -## the client DH parameters, which are sent in the ClientKeyExchange message as +## the client DH parameters contained in the ClientKeyExchange message as ## defined in :rfc:`5246`. ## ## c: The connection. @@ -265,7 +267,7 @@ event ssl_ecdh_client_params%(c: connection, point: string%); ## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_dh_client_params%(c: connection, Yc: string%); -## Generate if a client uses an RSA key exchange. This event contains the client +## Generated if a client uses RSA key exchange. This event contains the client ## encrypted pre-master secret which is encrypted using the public key of the ## server's certificate as defined in :rfc:`5246`. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 6555ccedc2..ae62f610e7 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -272,46 +272,50 @@ refine connection Handshake_Conn += { return true; %} - function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool + function proc_ecdhe_server_key_exchange(kex: EcdheServerKeyExchange) : bool %{ - if ( curve_type == NAMED_CURVE ) - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), curve); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data())); + if ( ${kex.curve_type} != NAMED_CURVE ) + return true; + + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), new StringVal(${kex.params.signed_params}.length(), (const char*)${kex.params.signed_params}.data())); return true; %} - function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool + function proc_ecdh_anon_server_key_exchange(kex: EcdhAnonServerKeyExchange) : bool %{ - if ( curve_type == NAMED_CURVE ) - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), curve); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data())); + if ( ${kex.curve_type} != NAMED_CURVE ) + return true; + + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); return true; %} function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool %{ - BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); - return true; + BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + return true; %} function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool %{ - BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); - return true; + BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + return true; %} function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool %{ - BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); - return true; + BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + return true; %} function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool @@ -438,11 +442,11 @@ refine typeattr CertificateStatus += &let { }; refine typeattr EcdheServerKeyExchange += &let { - proc : bool = $context.connection.proc_ecdhe_server_key_exchange(rec, curve_type, curve, point, signed_params); + proc : bool = $context.connection.proc_ecdhe_server_key_exchange(this); }; refine typeattr EcdhAnonServerKeyExchange += &let { - proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(rec, curve_type, curve, point); + proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(this); }; refine typeattr DheServerKeyExchange += &let { diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 6a4584bb03..43bca802d2 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -360,10 +360,10 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c # currently supported. type EcdheServerKeyExchange(rec: HandshakeRecord) = record { curve_type: uint8; - curve: uint16; # only if curve_type = 3 (NAMED_CURVE) - point_length: uint8; - point: bytestring &length=point_length; - signed_params: bytestring &restofdata; + named_curve: case curve_type of { + NAMED_CURVE -> params: ServerEDCHParamsAndSignature; + default -> data: bytestring &restofdata &transient; + }; }; # Parse an ECDH-anon ServerKeyExchange message, which does not contain a @@ -371,11 +371,18 @@ type EcdheServerKeyExchange(rec: HandshakeRecord) = record { # server is not currently supported. type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record { curve_type: uint8; - curve: uint16; # only if curve_type = 3 (NAMED_CURVE) + named_curve: case curve_type of { + NAMED_CURVE -> params: ServerEDCHParamsAndSignature; + default -> data: bytestring &restofdata &transient; + }; +}; + +type ServerEDCHParamsAndSignature() = record { + curve: uint16; point_length: uint8; point: bytestring &length=point_length; - data: bytestring &restofdata &transient; -}; + signed_params: bytestring &restofdata; # only present in case of non-anon message +} # Parse a DHE ServerKeyExchange message, which contains a signature over the # parameters. diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log similarity index 100% rename from testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log rename to testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test new file mode 100644 index 0000000000..1bae07c7f8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test @@ -0,0 +1,116 @@ +# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT +# @TEST-EXEC: cat ssl.log > ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff ssl-all.log + +# Test the new client and server key exchange events. + +@load base/protocols/ssl +@load base/files/x509 +@load protocols/ssl/extract-certs-pem.bro + +module SSL; + +export { + redef record Info += { + # ClientHello + client_random: string &log &optional; + client_cipher_suites: string &log &optional; + + # ServerHello + server_random: string &log &optional; + + # ServerKeyExchange + server_dh_p: string &log &optional; + server_dh_q: string &log &optional; + server_dh_Ys: string &log &optional; + server_ecdh_point: string &log &optional; + server_signature: string &log &optional; + + # ServerCertificate + server_cert_sha1: string &log &optional; + + # ClientKeyExchange + client_rsa_pms: string &log &optional; + client_dh_Yc: string &log &optional; + client_ecdh_point: string &log &optional; + }; + + ## Control if host certificates offered by the defined hosts + ## will be written to the PEM certificates file. + ## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS. + redef extract_certs_pem = ALL_HOSTS; +} + +event ssl_established(c: connection) &priority=5 + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || + ! c$ssl$cert_chain[0]?$x509 ) + return; + + c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1; + } + +event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5 + { + set_session(c); + c$ssl$client_random = bytestring_to_hexstr(client_random); + + local ciphers_str = ""; + for (i in ciphers) + { + ciphers_str += cipher_desc[ciphers[i]]; + if ( i != |ciphers|-1) + { + ciphers_str += ","; + } + } + c$ssl$client_cipher_suites = ciphers_str; + } + +event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 + { + set_session(c); + c$ssl$server_random = bytestring_to_hexstr(server_random); + } + +event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5 + { + set_session(c); + c$ssl$server_dh_p = bytestring_to_hexstr(p); + c$ssl$server_dh_q = bytestring_to_hexstr(q); + c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys); + } + +event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5 + { + set_session(c); + c$ssl$server_ecdh_point = bytestring_to_hexstr(point); + } + +event ssl_server_signature(c: connection, signed_params: string) &priority=5 + { + set_session(c); + c$ssl$server_signature = bytestring_to_hexstr(signed_params); + } + +event ssl_rsa_client_pms(c: connection, pms: string) &priority=5 + { + set_session(c); + c$ssl$client_rsa_pms = bytestring_to_hexstr(pms); + } + +event ssl_dh_client_params(c: connection, Yc: string) &priority=5 + { + set_session(c); + c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc); + } + +event ssl_ecdh_client_params(c: connection, point: string) &priority=5 + { + set_session(c); + c$ssl$client_ecdh_point = bytestring_to_hexstr(point); + } diff --git a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test deleted file mode 100644 index 253f76c158..0000000000 --- a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT -# @TEST-EXEC: cat ssl.log > ssl-all.log -# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT -# @TEST-EXEC: cat ssl.log >> ssl-all.log -# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT -# @TEST-EXEC: cat ssl.log >> ssl-all.log -# @TEST-EXEC: btest-diff ssl-all.log - -@load protocols/ssl/ssl-verbose From f8f343fd3ae5bff315224b30d8a8ac9293da6b14 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 Nov 2017 14:01:37 -0600 Subject: [PATCH 131/147] Add --ccache option to configure script (requires CMake 3.10+). This just provides a convient way of indicating that ccache should be used as compiler-wrapper during builds. e.g. when I want dev/debug builds that (re)compile quickly, I do: ./configure --build-type=debug --generator=Ninja --ccache --- CHANGES | 4 ++++ CMakeLists.txt | 12 ++++++++++++ VERSION | 2 +- configure | 5 +++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index c664bca820..f8c54b1b19 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-359 | 2017-11-29 14:01:37 -0600 + + * Add --ccache option to configure script (requires CMake 3.10+). (Corelight) + 2.5-358 | 2017-11-28 12:28:14 -0800 * Extend the TLS analyzer with several events containing cryptographic diff --git a/CMakeLists.txt b/CMakeLists.txt index 31e2346dfe..2abd715732 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,18 @@ include(cmake/CommonCMakeConfig.cmake) ######################################################################## ## Project/Build Configuration +if ( ENABLE_CCACHE ) + find_program(CCACHE_PROGRAM ccache) + + if ( NOT CCACHE_PROGRAM ) + message(FATAL_ERROR "ccache not found") + endif () + + message(STATUS "Using ccache: ${CCACHE_PROGRAM}") + set(CMAKE_C_COMPILER_LAUNCHER ${CCACHE_PROGRAM}) + set(CMAKE_CXX_COMPILER_LAUNCHER ${CCACHE_PROGRAM}) +endif () + set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX}) if (NOT BRO_SCRIPT_INSTALL_PATH) # set the default Bro script installation path (user did not specify one) diff --git a/VERSION b/VERSION index d05adf51f7..253e551217 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-358 +2.5-359 diff --git a/configure b/configure index 757dfc595b..23b12bfb03 100755 --- a/configure +++ b/configure @@ -25,6 +25,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]... - RelWithDebInfo: optimizations on, debug symbols on, debug flags off --generator=GENERATOR CMake generator to use (see cmake --help) + --ccache use ccache to speed up recompilation (requires + ccache installation and CMake 3.10+) Installation Directories: --prefix=PREFIX installation directory [/usr/local/bro] @@ -169,6 +171,9 @@ while [ $# -ne 0 ]; do --generator=*) CMakeGenerator="$optarg" ;; + --ccache) + append_cache_entry ENABLE_CCACHE BOOL true + ;; --prefix=*) prefix=$optarg append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg From 1f6954ca3efa8e94542a743aee762e96dbb53704 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 30 Nov 2017 08:42:18 -0800 Subject: [PATCH 132/147] Add missing ; in SSL binpac parser. Binpac for some reason also works without it. Found by Luke Valenta. --- src/analyzer/protocol/ssl/tls-handshake-protocol.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 43bca802d2..1ccd128dee 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -382,7 +382,7 @@ type ServerEDCHParamsAndSignature() = record { point_length: uint8; point: bytestring &length=point_length; signed_params: bytestring &restofdata; # only present in case of non-anon message -} +}; # Parse a DHE ServerKeyExchange message, which contains a signature over the # parameters. From 8ba5c035388cc52317cd81bae3c9fa3c947c7f2a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 1 Dec 2017 14:35:51 -0800 Subject: [PATCH 133/147] Do not log SOCKS passwords by default. This introduces a new option, SOCKS::default_capture_password which can be used to specify if Socks passwords are logged by default Like fot FTP/HTTP, this option is set to false by default. Addresses BIT-1791 --- NEWS | 8 +++++ scripts/base/protocols/socks/main.bro | 33 +++++++++++-------- .../socks.log | 10 ++++++ .../tunnel.log | 10 ++++++ .../base/protocols/socks/socks-auth.bro | 6 ++++ 5 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log diff --git a/NEWS b/NEWS index d25c0920cf..57c03fe5c5 100644 --- a/NEWS +++ b/NEWS @@ -48,6 +48,14 @@ Changed Functionality event is considered deprecated and will be removed in a future version of Bro. +- The Socks analyzer does no longer log passwords by default. This + brings its behavior in line with the FTP/HTTP analyzers which also + do not log passwords by default. + + To restore the previous behavior and log Socks passwords, use: + + redef SOCKS::default_capture_password = T; + Removed Functionality --------------------- diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index 536e240b81..6995b5de88 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -6,32 +6,38 @@ module SOCKS; export { redef enum Log::ID += { LOG }; + ## This setting changes if passwords are captured or + ## not. + const default_capture_password = F &redef; + ## The record type which contains the fields of the SOCKS log. type Info: record { ## Time when the proxy connection was first detected. - ts: time &log; + ts: time &log; ## Unique ID for the tunnel - may correspond to connection uid ## or be non-existent. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; ## Protocol version of SOCKS. - version: count &log; + version: count &log; ## Username used to request a login to the proxy. - user: string &log &optional; + user: string &log &optional; ## Password used to request a login to the proxy. - password: string &log &optional; + password: string &log &optional; ## Server status for the attempt at using the proxy. - status: string &log &optional; + status: string &log &optional; ## Client requested SOCKS address. Could be an address, a name ## or both. - request: SOCKS::Address &log &optional; + request: SOCKS::Address &log &optional; ## Client requested port. - request_p: port &log &optional; + request_p: port &log &optional; ## Server bound address. Could be an address, a name or both. - bound: SOCKS::Address &log &optional; + bound: SOCKS::Address &log &optional; ## Server bound port. - bound_p: port &log &optional; + bound_p: port &log &optional; + ## Determines if the password will be captured for this request. + capture_password: bool &default=default_capture_password; }; ## Event that can be handled to access the SOCKS @@ -90,10 +96,11 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5 { # Authentication only possible with the version 5. - set_session(c, 5); + set_session(c, 5); c$socks$user = user; - c$socks$password = password; + if ( c$socks$capture_password ) + c$socks$password = password; } event socks_login_userpass_reply(c: connection, code: count) &priority=5 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log new file mode 100644 index 0000000000..2f7963dbd6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path socks +#open 2017-12-01-22-33-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string string addr string port addr string port +1368517392.724989 CHhAvVGS1DHFjwGM9 192.168.0.2 55951 192.168.0.1 1080 5 bob - succeeded 192.168.0.2 - 22 192.168.0.1 - 55951 +#close 2017-12-01-22-33-17 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log new file mode 100644 index 0000000000..ef6bdc5b33 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2017-12-01-22-33-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1368517392.728523 - 192.168.0.2 0 192.168.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER +#close 2017-12-01-22-33-17 diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro index 2123dc1d45..d58e1b5801 100644 --- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro +++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro @@ -3,3 +3,9 @@ # @TEST-EXEC: btest-diff tunnel.log @load base/protocols/socks + +redef SOCKS::default_capture_password = T; + +@TEST-START-NEXT + +@load base/protocols/socks From ecfacbe96e35f0392e04cad04228c870a4363c33 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 5 Dec 2017 11:00:09 -0600 Subject: [PATCH 134/147] Fix documentation for ReassemblerStats. --- CHANGES | 4 ++++ VERSION | 2 +- scripts/base/init-bare.bro | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index bd18dc5e1c..dc0d2e4e63 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-363 | 2017-12-05 11:00:09 -0600 + + * Fix documentation for ReassemblerStats. (Corelight) + 2.5-362 | 2017-12-02 09:45:04 -0600 * BIT-1791: Do not log SOCKS passwords by default and add diff --git a/VERSION b/VERSION index 37deebc97b..f22c264edd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-362 +2.5-363 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f2a6816d9d..f2ea2ed29a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -531,7 +531,7 @@ type EventStats: record { dispatched: count; ##< Total number of events dispatched so far. }; -## Summary statistics of all regular expression matchers. +## Holds statistics for all types of reassembly. ## ## .. bro:see:: get_reassembler_stats type ReassemblerStats: record { From 8827ece34a7292718a4da60b4abcb925619e149c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 5 Dec 2017 11:19:57 -0600 Subject: [PATCH 135/147] Updating submodule(s). [nomail] --- aux/bro-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/bro-aux b/aux/bro-aux index 53bf0578a4..e9e91eac74 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 53bf0578a4ead2dcf6c488b610644451584d46e5 +Subproject commit e9e91eac74bf1a240e40bc62ad4f4dc3d88bc126 From 7c03f4dec0b3c693e61f7f8177b03f739e76b36a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 5 Dec 2017 09:49:00 -0800 Subject: [PATCH 136/147] Fix compile warnings raised by gcc7. /home/johanna/bro/master/src/Sessions.cc: In member function 'void NetSessions::DoNextPacket(double, const Packet*, const IP_Hdr*, const EncapsulationStack*)': /home/johanna/bro/master/src/Sessions.cc:343:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if ( ip_hdr_len > len ) ~~~~~~~~~~~^~~~~ /home/johanna/bro/master/src/Sessions.cc:349:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if ( ip_hdr_len > caplen ) ~~~~~~~~~~~^~~~~~~~ /home/johanna/bro/master/src/Sessions.cc:399:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if ( ip_hdr_len > len ) ~~~~~~~~~~~^~~~~ In file included from /usr/include/machine/endian.h:6:0, from /usr/include/sys/types.h:44, from /usr/include/unistd.h:37, from /home/johanna/bro/master/src/Anon.cc:2: /home/johanna/bro/master/src/Anon.cc: In member function 'virtual ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t)': /home/johanna/bro/master/src/Anon.cc:85:18: warning: operation on '((AnonymizeIPAddr_Seq*)this)->AnonymizeIPAddr_Seq::seq' may be undefined [-Wsequence-point] return htonl(seq++); ^ --- src/Anon.cc | 3 ++- src/Sessions.cc | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Anon.cc b/src/Anon.cc index 87791501a4..a2afc489ca 100644 --- a/src/Anon.cc +++ b/src/Anon.cc @@ -82,7 +82,8 @@ int AnonymizeIPAddr::PreserveNet(ipaddr32_t input) ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */) { - return htonl(seq++); + ++seq; + return htonl(seq); } ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input) diff --git a/src/Sessions.cc b/src/Sessions.cc index a1e685a608..9dc569daa7 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -339,7 +339,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // For both of these it is safe to pass ip_hdr because the presence // is guaranteed for the functions that pass data to us. - int ip_hdr_len = ip_hdr->HdrLen(); + uint16 ip_hdr_len = ip_hdr->HdrLen(); if ( ip_hdr_len > len ) { Weird("invalid_IP_header_size", ip_hdr, encapsulation); From bfe94641cf3781293354fd8c80e7307e734be4db Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 5 Dec 2017 11:30:06 -0800 Subject: [PATCH 137/147] Fix another gcc7 warning. Warning is: /home/johanna/bro/master/src/Type.cc: In member function 'virtual bool IndexType::DoUnserialize(UnserialInfo*)': /home/johanna/bro/master/src/Type.cc:548:60: warning: enum constant in boolean context [-Wint-in-bool-context] indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST); ^ /home/johanna/bro/master/src/Type.cc: In member function 'virtual bool FuncType::DoUnserialize(UnserialInfo*)': /home/johanna/bro/master/src/Type.cc:868:61: warning: enum constant in boolean context [-Wint-in-bool-context] args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD); ^ /home/johanna/bro/master/src/Type.cc:872:62: warning: enum constant in boolean context [-Wint-in-bool-context] arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST); This one is a really nice catch in my opinion. GCC is completely correct - the 2nd argument to Unserialize is a bool. This means that all these calls always evaluate to Unserialize(info, true). Which is equivalent with the default, so I just removed the type from the call. This was probably caused by someone thinking of BroVal::Unserialize, which needs the type as the 2nd argument. --- src/Type.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Type.cc b/src/Type.cc index cce328d92b..aa9388d64e 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -545,7 +545,7 @@ bool IndexType::DoUnserialize(UnserialInfo* info) DO_UNSERIALIZE(BroType); UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info)); - indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST); + indices = (TypeList*) BroType::Unserialize(info); return indices != 0; } @@ -865,11 +865,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info) UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info)); - args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD); + args = (RecordType*) BroType::Unserialize(info); if ( ! args ) return false; - arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST); + arg_types = (TypeList*) BroType::Unserialize(info); if ( ! arg_types ) return false; From b730874ea117ef8681359fae92825b85a52af401 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Tue, 17 Oct 2017 18:45:06 -0400 Subject: [PATCH 138/147] problem: for loops over empty tables are slow. This change doubles the performance of for loops over empty tables. A bro binary that prints out this size shows for testing/external/bro-testing/2009-M57-day11-18.trace, for loops are run over tables of size: 11477 for size 0 8371 for size 1 1227 for size 3 239 for size 2 141 for size 6 57 for size 5 10 for size 4 5 for size 7 2 for size 13 2 for size 8 2 for size 11 1 for size 9 ~53% of the for loops were across an empty table. These loops come from things like the for loop in the http script over c$http_state$pending This change prevents the creation of an iteration cookie entirely if the table is empty. Using this test script: const scan_ports: table[port] of count = { }; local x = 0; while ( x < 20000000 ) { for(p in scan_ports) { } ++x; } $ time bro.orig -b ___bench.bro real 0m10.732s user 0m10.415s sys 0m0.113s $ time bro.nocookie -b ___bench.bro real 0m4.694s user 0m4.464s sys 0m0.086s --- src/Stmt.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Stmt.cc b/src/Stmt.cc index d93e8ff14e..ac7bcb39b5 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1292,6 +1292,8 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const { TableVal* tv = v->AsTableVal(); const PDict(TableEntryVal)* loop_vals = tv->AsTable(); + if (!loop_vals->Length()) + return ret; HashKey* k; IterCookie* c = loop_vals->InitForIteration(); From 1e4964de7760ba83c9557b00fd8563e61e364d18 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 11 Dec 2017 15:29:28 -0600 Subject: [PATCH 139/147] Preallocate all possible PortVals. The performance benefit is small (maybe ~1% at most), however, it's a trivial change without downsides. --- src/CompHash.cc | 2 +- src/Conn.cc | 4 +- src/Event.cc | 2 +- src/IP.cc | 8 ++-- src/PersistenceSerializer.cc | 2 +- src/RemoteSerializer.cc | 2 +- src/TunnelEncapsulation.cc | 4 +- src/Val.cc | 47 +++++++++++++++++++ src/Val.h | 24 ++++++++-- src/analyzer/Manager.cc | 8 ++-- .../protocol/bittorrent/BitTorrentTracker.cc | 2 +- .../bittorrent/bittorrent-analyzer.pac | 2 +- src/analyzer/protocol/ftp/functions.bif | 6 +-- src/analyzer/protocol/icmp/ICMP.cc | 8 ++-- src/analyzer/protocol/ident/Ident.cc | 12 ++--- src/analyzer/protocol/rpc/Portmap.cc | 6 +-- .../protocol/socks/socks-analyzer.pac | 8 ++-- src/analyzer/protocol/tcp/TCP_Reassembler.cc | 7 +-- src/analyzer/protocol/teredo/Teredo.cc | 2 +- src/analyzer/protocol/udp/UDP.cc | 8 ++-- src/bro.bif | 14 +++--- src/broker/Data.cc | 2 +- src/broker/Manager.cc | 6 +-- src/broker/data.bif | 2 +- src/file_analysis/File.cc | 4 +- .../analyzer/unified2/unified2-analyzer.pac | 2 +- src/input/Manager.cc | 2 +- src/main.cc | 3 ++ src/scan.l | 8 ++-- 29 files changed, 139 insertions(+), 68 deletions(-) diff --git a/src/CompHash.cc b/src/CompHash.cc index 2e28bff78e..f120c3618b 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -703,7 +703,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0, break; case TYPE_PORT: - pval = new PortVal(*kp); + pval = port_mgr->Get(*kp); break; default: diff --git a/src/Conn.cc b/src/Conn.cc index 2034a57786..1edecde0b9 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -364,9 +364,9 @@ RecordVal* Connection::BuildConnVal() RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal(orig_addr)); - id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type)); + id_val->Assign(1, port_mgr->Get(ntohs(orig_port), prot_type)); id_val->Assign(2, new AddrVal(resp_addr)); - id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type)); + id_val->Assign(3, port_mgr->Get(ntohs(resp_port), prot_type)); RecordVal *orig_endp = new RecordVal(endpoint); orig_endp->Assign(0, new Val(0, TYPE_COUNT)); diff --git a/src/Event.cc b/src/Event.cc index 6371a69248..7b1c88ea64 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -166,7 +166,7 @@ RecordVal* EventMgr::GetLocalPeerVal() src_val = new RecordVal(peer); src_val->Assign(0, new Val(0, TYPE_COUNT)); src_val->Assign(1, new AddrVal("127.0.0.1")); - src_val->Assign(2, new PortVal(0)); + src_val->Assign(2, port_mgr->Get(0)); src_val->Assign(3, new Val(true, TYPE_BOOL)); Ref(peer_description); diff --git a/src/IP.cc b/src/IP.cc index ebe778e3d7..79e1cf4fba 100644 --- a/src/IP.cc +++ b/src/IP.cc @@ -370,8 +370,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const int tcp_hdr_len = tp->th_off * 4; int data_len = PayloadLen() - tcp_hdr_len; - tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP)); - tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP)); + tcp_hdr->Assign(0, port_mgr->Get(ntohs(tp->th_sport), TRANSPORT_TCP)); + tcp_hdr->Assign(1, port_mgr->Get(ntohs(tp->th_dport), TRANSPORT_TCP)); tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT)); tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT)); tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT)); @@ -388,8 +388,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const const struct udphdr* up = (const struct udphdr*) data; RecordVal* udp_hdr = new RecordVal(udp_hdr_type); - udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP)); - udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP)); + udp_hdr->Assign(0, port_mgr->Get(ntohs(up->uh_sport), TRANSPORT_UDP)); + udp_hdr->Assign(1, port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP)); udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT)); pkt_hdr->Assign(sindex + 3, udp_hdr); diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc index 9400b2d0ca..52778ed10c 100644 --- a/src/PersistenceSerializer.cc +++ b/src/PersistenceSerializer.cc @@ -191,7 +191,7 @@ void PersistenceSerializer::RaiseFinishedSendState() { val_list* vl = new val_list; vl->append(new AddrVal(htonl(remote_host))); - vl->append(new PortVal(remote_port)); + vl->append(port_mgr->Get(remote_port)); mgr.QueueEvent(finished_send_state, vl); reporter->Log("Serialization done."); diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 7d8899d8b9..78080e31f5 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1809,7 +1809,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer) v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT)); // Sic! Network order for AddrVal, host order for PortVal. v->Assign(1, new AddrVal(peer->ip)); - v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP)); + v->Assign(2, port_mgr->Get(peer->port, TRANSPORT_TCP)); v->Assign(3, new Val(false, TYPE_BOOL)); v->Assign(4, new StringVal("")); // set when received v->Assign(5, peer->peer_class.size() ? diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc index cb4b1eaabe..556de9382a 100644 --- a/src/TunnelEncapsulation.cc +++ b/src/TunnelEncapsulation.cc @@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal(src_addr)); - id_val->Assign(1, new PortVal(ntohs(src_port), proto)); + id_val->Assign(1, port_mgr->Get(ntohs(src_port), proto)); id_val->Assign(2, new AddrVal(dst_addr)); - id_val->Assign(3, new PortVal(ntohs(dst_port), proto)); + id_val->Assign(3, port_mgr->Get(ntohs(dst_port), proto)); rv->Assign(0, id_val); rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type)); diff --git a/src/Val.cc b/src/Val.cc index ca70e1f5df..abae677754 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -760,6 +760,53 @@ bool IntervalVal::DoUnserialize(UnserialInfo* info) return true; } +PortManager::PortManager() + { + for ( auto i = 0u; i < ports.size(); ++i ) + { + auto& arr = ports[i]; + auto port_type = (TransportProto)i; + + for ( auto j = 0u; j < arr.size(); ++j ) + arr[j] = new PortVal(j, port_type); + } + } + +PortManager::~PortManager() + { + for ( auto& arr : ports ) + for ( auto& pv : arr ) + Unref(pv); + } + +PortVal* PortManager::Get(uint32 port_num) const + { + auto mask = port_num & PORT_SPACE_MASK; + port_num &= ~PORT_SPACE_MASK; + + if ( mask == TCP_PORT_MASK ) + return Get(port_num, TRANSPORT_TCP); + else if ( mask == UDP_PORT_MASK ) + return Get(port_num, TRANSPORT_UDP); + else if ( mask == ICMP_PORT_MASK ) + return Get(port_num, TRANSPORT_ICMP); + else + return Get(port_num, TRANSPORT_UNKNOWN); + } + +PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const + { + if ( port_num >= 65536 ) + { + reporter->Warning("bad port number %d", port_num); + port_num = 0; + } + + auto rval = ports[port_type][port_num]; + ::Ref(rval); + return rval; + } + PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT) { // Note, for ICMP one-way connections: diff --git a/src/Val.h b/src/Val.h index 160eeafe64..d0538db8ee 100644 --- a/src/Val.h +++ b/src/Val.h @@ -7,6 +7,7 @@ #include #include +#include #include "net_util.h" #include "Type.h" @@ -503,12 +504,22 @@ protected: #define UDP_PORT_MASK 0x20000 #define ICMP_PORT_MASK 0x30000 +class PortManager { +public: + PortManager(); + ~PortManager(); + + // Port number given in host order. + PortVal* Get(uint32 port_num) const; + PortVal* Get(uint32 port_num, TransportProto port_type) const; + + std::array, NUM_PORT_SPACES> ports; +}; + +extern PortManager* port_mgr; + class PortVal : public Val { public: - // Constructors - both take the port number in host order. - PortVal(uint32 p, TransportProto port_type); - PortVal(uint32 p); // used for already-massaged port value. - Val* SizeVal() const override { return new Val(val.uint_val, TYPE_INT); } // Returns the port number in host order (not including the mask). @@ -533,7 +544,12 @@ public: protected: friend class Val; + friend class PortManager; PortVal() {} + // Constructors - both take the port number in host order. + PortVal(uint32 p, TransportProto port_type); + PortVal(uint32 p); // used for already-massaged port value. + void ValDescribe(ODesc* d) const override; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 9858001c6f..4b5441f395 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -434,14 +434,16 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( tcp_contents && ! reass ) { - PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); + auto dport = port_mgr->Get(ntohs(conn->RespPort()), TRANSPORT_TCP); Val* result; if ( ! reass ) - reass = tcp_content_delivery_ports_orig->Lookup(&dport); + reass = tcp_content_delivery_ports_orig->Lookup(dport); if ( ! reass ) - reass = tcp_content_delivery_ports_resp->Lookup(&dport); + reass = tcp_content_delivery_ports_resp->Lookup(dport); + + Unref(dport); } if ( reass ) diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 43ee6a2b21..452fb0fe6c 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -482,7 +482,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name, RecordVal* peer = new RecordVal(bittorrent_peer); peer->Assign(0, new AddrVal(ad)); - peer->Assign(1, new PortVal(pt, TRANSPORT_TCP)); + peer->Assign(1, port_mgr->Get(pt, TRANSPORT_TCP)); res_val_peers->Assign(peer, 0); Unref(peer); diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac index 3bc6d90230..6040577d39 100644 --- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac +++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac @@ -222,7 +222,7 @@ flow BitTorrent_Flow(is_orig: bool) { connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), - new PortVal(listen_port, TRANSPORT_TCP)); + port_mgr->Get(listen_port, TRANSPORT_TCP)); } return true; diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif index b57b24df20..9508061102 100644 --- a/src/analyzer/protocol/ftp/functions.bif +++ b/src/analyzer/protocol/ftp/functions.bif @@ -33,13 +33,13 @@ static Val* parse_port(const char* line) } r->Assign(0, new AddrVal(htonl(addr))); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP)); r->Assign(2, new Val(good, TYPE_BOOL)); } else { r->Assign(0, new AddrVal(uint32(0))); - r->Assign(1, new PortVal(0, TRANSPORT_TCP)); + r->Assign(1, port_mgr->Get(0, TRANSPORT_TCP)); r->Assign(2, new Val(0, TYPE_BOOL)); } @@ -109,7 +109,7 @@ static Val* parse_eftp(const char* line) } r->Assign(0, new AddrVal(addr)); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP)); r->Assign(2, new Val(good, TYPE_BOOL)); return r; diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 6a42e064d7..2dedca5ae1 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -352,9 +352,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data) RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal(src_addr)); - id_val->Assign(1, new PortVal(src_port, proto)); + id_val->Assign(1, port_mgr->Get(src_port, proto)); id_val->Assign(2, new AddrVal(dst_addr)); - id_val->Assign(3, new PortVal(dst_port, proto)); + id_val->Assign(3, port_mgr->Get(dst_port, proto)); iprec->Assign(0, id_val); iprec->Assign(1, new Val(ip_len, TYPE_COUNT)); @@ -411,9 +411,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data) RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal(src_addr)); - id_val->Assign(1, new PortVal(src_port, proto)); + id_val->Assign(1, port_mgr->Get(src_port, proto)); id_val->Assign(2, new AddrVal(dst_addr)); - id_val->Assign(3, new PortVal(dst_port, proto)); + id_val->Assign(3, port_mgr->Get(dst_port, proto)); iprec->Assign(0, id_val); iprec->Assign(1, new Val(ip_len, TYPE_COUNT)); diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index 9601be7562..27eafb5426 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -82,8 +82,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new PortVal(local_port, TRANSPORT_TCP)); - vl->append(new PortVal(remote_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(local_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP)); ConnectionEvent(ident_request, vl); @@ -143,8 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new PortVal(local_port, TRANSPORT_TCP)); - vl->append(new PortVal(remote_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(local_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP)); vl->append(new StringVal(end_of_line - line, line)); ConnectionEvent(ident_error, vl); @@ -177,8 +177,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new PortVal(local_port, TRANSPORT_TCP)); - vl->append(new PortVal(remote_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(local_port, TRANSPORT_TCP)); + vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP)); vl->append(new StringVal(end_of_line - line, line)); vl->append(new StringVal(sys_type_s)); diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index 5d7c980879..9f52394ac4 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -126,7 +126,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status RecordVal* rv = c->RequestVal()->AsRecordVal(); Val* is_tcp = rv->Lookup(2); - reply = new PortVal(CheckPort(port), + reply = port_mgr->Get(CheckPort(port), is_tcp->IsOne() ? TRANSPORT_TCP : TRANSPORT_UDP); event = pm_request_getport; @@ -178,7 +178,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status if ( ! opaque_reply ) return 0; - reply = new PortVal(CheckPort(port), TRANSPORT_UDP); + reply = port_mgr->Get(CheckPort(port), TRANSPORT_UDP); event = pm_request_callit; } else @@ -202,7 +202,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP; uint32 port = extract_XDR_uint32(buf, len); - mapping->Assign(2, new PortVal(CheckPort(port), + mapping->Assign(2, port_mgr->Get(CheckPort(port), is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP)); if ( ! buf ) diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index b8c4165a54..0f13335785 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -32,7 +32,7 @@ refine connection SOCKS_Conn += { 4, ${request.command}, sa, - new PortVal(${request.port} | TCP_PORT_MASK), + port_mgr->Get(${request.port} | TCP_PORT_MASK), array_to_string(${request.user})); static_cast(bro_analyzer())->EndpointDone(true); @@ -50,7 +50,7 @@ refine connection SOCKS_Conn += { 4, ${reply.status}, sa, - new PortVal(${reply.port} | TCP_PORT_MASK)); + port_mgr->Get(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); @@ -102,7 +102,7 @@ refine connection SOCKS_Conn += { 5, ${request.command}, sa, - new PortVal(${request.port} | TCP_PORT_MASK), + port_mgr->Get(${request.port} | TCP_PORT_MASK), new StringVal("")); static_cast(bro_analyzer())->EndpointDone(true); @@ -141,7 +141,7 @@ refine connection SOCKS_Conn += { 5, ${reply.reply}, sa, - new PortVal(${reply.port} | TCP_PORT_MASK)); + port_mgr->Get(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index b1d7dca012..bcbe20d499 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -38,18 +38,19 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, if ( ::tcp_contents ) { - // Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT); - PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()), + auto dst_port_val = port_mgr->Get(ntohs(tcp_analyzer->Conn()->RespPort()), TRANSPORT_TCP); TableVal* ports = IsOrig() ? tcp_content_delivery_ports_orig : tcp_content_delivery_ports_resp; - Val* result = ports->Lookup(&dst_port_val); + Val* result = ports->Lookup(dst_port_val); if ( (IsOrig() && tcp_content_deliver_all_orig) || (! IsOrig() && tcp_content_deliver_all_resp) || (result && result->AsBool()) ) deliver_tcp_contents = 1; + + Unref(dst_port_val); } } diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc index 663e61749d..3d7fb397fb 100644 --- a/src/analyzer/protocol/teredo/Teredo.cc +++ b/src/analyzer/protocol/teredo/Teredo.cc @@ -130,7 +130,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const RecordVal* teredo_origin = new RecordVal(teredo_origin_type); uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF; uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF; - teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP)); + teredo_origin->Assign(0, port_mgr->Get(port, TRANSPORT_UDP)); teredo_origin->Assign(1, new AddrVal(htonl(addr))); teredo_hdr->Assign(1, teredo_origin); } diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 3bd3736b2a..ca46b88339 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -97,14 +97,14 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( udp_contents ) { - PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP); + auto port_val = port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP); Val* result = 0; bool do_udp_contents = false; if ( is_orig ) { result = udp_content_delivery_ports_orig->Lookup( - &port_val); + port_val); if ( udp_content_deliver_all_orig || (result && result->AsBool()) ) do_udp_contents = true; @@ -112,7 +112,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, else { result = udp_content_delivery_ports_resp->Lookup( - &port_val); + port_val); if ( udp_content_deliver_all_resp || (result && result->AsBool()) ) do_udp_contents = true; @@ -126,6 +126,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, vl->append(new StringVal(len, (const char*) data)); ConnectionEvent(udp_contents, vl); } + + Unref(port_val); } if ( is_orig ) diff --git a/src/bro.bif b/src/bro.bif index 852f806230..b6922f9fab 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2270,7 +2270,7 @@ function port_to_count%(p: port%): count ## .. bro:see:: port_to_count function count_to_port%(num: count, proto: transport_proto%): port %{ - return new PortVal(num, (TransportProto)proto->AsEnum()); + return port_mgr->Get(num, (TransportProto)proto->AsEnum()); %} ## Converts a :bro:type:`string` to an :bro:type:`addr`. @@ -2430,16 +2430,16 @@ function to_port%(s: string%): port { ++slash; if ( streq(slash, "tcp") ) - return new PortVal(port, TRANSPORT_TCP); + return port_mgr->Get(port, TRANSPORT_TCP); else if ( streq(slash, "udp") ) - return new PortVal(port, TRANSPORT_UDP); + return port_mgr->Get(port, TRANSPORT_UDP); else if ( streq(slash, "icmp") ) - return new PortVal(port, TRANSPORT_ICMP); + return port_mgr->Get(port, TRANSPORT_ICMP); } } builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/"); - return new PortVal(port, TRANSPORT_UNKNOWN); + return port_mgr->Get(port, TRANSPORT_UNKNOWN); %} ## Converts a string of bytes (in network byte order) to a :bro:type:`double`. @@ -3208,9 +3208,9 @@ function lookup_connection%(cid: conn_id%): connection RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal((unsigned int) 0)); - id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP)); + id_val->Assign(1, port_mgr->Get(ntohs(0), TRANSPORT_UDP)); id_val->Assign(2, new AddrVal((unsigned int) 0)); - id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP)); + id_val->Assign(3, port_mgr->Get(ntohs(0), TRANSPORT_UDP)); c->Assign(0, id_val); RecordVal* orig_endp = new RecordVal(endpoint); diff --git a/src/broker/Data.cc b/src/broker/Data.cc index 6420144193..09b0da11e1 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -135,7 +135,7 @@ struct val_converter { result_type operator()(broker::port& a) { if ( type->Tag() == TYPE_PORT ) - return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type())); + return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type())); return nullptr; } diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index eebcd2792f..d5acb27b5a 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -697,7 +697,7 @@ void bro_broker::Manager::Process() { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); - vl->append(new PortVal(u.relation.remote_tuple().second, + vl->append(port_mgr->Get(u.relation.remote_tuple().second, TRANSPORT_TCP)); vl->append(new StringVal(u.peer_name)); mgr.QueueEvent(Broker::outgoing_connection_established, vl); @@ -709,7 +709,7 @@ void bro_broker::Manager::Process() { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); - vl->append(new PortVal(u.relation.remote_tuple().second, + vl->append(port_mgr->Get(u.relation.remote_tuple().second, TRANSPORT_TCP)); mgr.QueueEvent(Broker::outgoing_connection_broken, vl); } @@ -720,7 +720,7 @@ void bro_broker::Manager::Process() { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); - vl->append(new PortVal(u.relation.remote_tuple().second, + vl->append(port_mgr->Get(u.relation.remote_tuple().second, TRANSPORT_TCP)); mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl); } diff --git a/src/broker/data.bif b/src/broker/data.bif index d526d0a779..7f9c27f9a2 100644 --- a/src/broker/data.bif +++ b/src/broker/data.bif @@ -88,7 +88,7 @@ function Broker::__refine_to_port%(d: Broker::Data%): port %{ auto& a = bro_broker::require_data_type(d->AsRecordVal(), TYPE_PORT, frame); - return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type())); + return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type())); %} function Broker::__refine_to_time%(d: Broker::Data%): time diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 46624e23c0..711186335e 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -34,9 +34,9 @@ static RecordVal* get_conn_id_val(const Connection* conn) { RecordVal* v = new RecordVal(conn_id); v->Assign(0, new AddrVal(conn->OrigAddr())); - v->Assign(1, new PortVal(ntohs(conn->OrigPort()), conn->ConnTransport())); + v->Assign(1, port_mgr->Get(ntohs(conn->OrigPort()), conn->ConnTransport())); v->Assign(2, new AddrVal(conn->RespAddr())); - v->Assign(3, new PortVal(ntohs(conn->RespPort()), conn->ConnTransport())); + v->Assign(3, port_mgr->Get(ntohs(conn->RespPort()), conn->ConnTransport())); return v; } diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac index 11072f140b..bedf54be5b 100644 --- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac +++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac @@ -54,7 +54,7 @@ refine flow Flow += { case 17: proto = TRANSPORT_UDP; break; } - return new PortVal(n, proto); + return port_mgr->Get(n, proto); %} #function proc_record(rec: Record) : bool diff --git a/src/input/Manager.cc b/src/input/Manager.cc index d029e38092..9a7f1f052f 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -2287,7 +2287,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ } case TYPE_PORT: - return new PortVal(val->val.port_val.port, val->val.port_val.proto); + return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto); case TYPE_ADDR: { diff --git a/src/main.cc b/src/main.cc index 0ca39e9e2d..a1ae750963 100644 --- a/src/main.cc +++ b/src/main.cc @@ -87,6 +87,7 @@ int perftools_profile = 0; DNS_Mgr* dns_mgr; TimerMgr* timer_mgr; +PortManager* port_mgr = 0; logging::Manager* log_mgr = 0; threading::Manager* thread_mgr = 0; input::Manager* input_mgr = 0; @@ -384,6 +385,7 @@ void terminate_bro() delete plugin_mgr; delete reporter; delete iosource_mgr; + delete port_mgr; reporter = 0; } @@ -711,6 +713,7 @@ int main(int argc, char** argv) bro_start_time = current_time(true); + port_mgr = new PortManager(); reporter = new Reporter(); thread_mgr = new threading::Manager(); plugin_mgr = new plugin::Manager(); diff --git a/src/scan.l b/src/scan.l index cdac72c1cd..46848f78fd 100644 --- a/src/scan.l +++ b/src/scan.l @@ -474,7 +474,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) reporter->Error("bad port number - %s", yytext); p = 0; } - RET_CONST(new PortVal(p, TRANSPORT_TCP)) + RET_CONST(port_mgr->Get(p, TRANSPORT_TCP)) } {D}"/udp" { uint32 p = atoi(yytext); @@ -483,7 +483,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) reporter->Error("bad port number - %s", yytext); p = 0; } - RET_CONST(new PortVal(p, TRANSPORT_UDP)) + RET_CONST(port_mgr->Get(p, TRANSPORT_UDP)) } {D}"/icmp" { uint32 p = atoi(yytext); @@ -492,7 +492,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) reporter->Error("bad port number - %s", yytext); p = 0; } - RET_CONST(new PortVal(p, TRANSPORT_ICMP)) + RET_CONST(port_mgr->Get(p, TRANSPORT_ICMP)) } {D}"/unknown" { uint32 p = atoi(yytext); @@ -501,7 +501,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) reporter->Error("bad port number - %s", yytext); p = 0; } - RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN)) + RET_CONST(port_mgr->Get(p, TRANSPORT_UNKNOWN)) } {FLOAT}{OWS}day(s?) RET_CONST(new IntervalVal(atof(yytext),Days)) From 054c4a67c4e48fa93685240f62feba50c3f66f8b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 12 Dec 2017 11:34:49 -0600 Subject: [PATCH 140/147] Add BRO_DEPRECATED macro. --- src/util.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/util.h b/src/util.h index 30ef8a61da..5dc2484319 100644 --- a/src/util.h +++ b/src/util.h @@ -3,6 +3,15 @@ #ifndef util_h #define util_h +#ifdef __GNUC__ + #define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg))) +#elif defined(_MSC_VER) + #define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func +#else + #pragma message("Warning: BRO_DEPRECATED macro not implemented") + #define BRO_DEPRECATED(msg) +#endif + // Expose C99 functionality from inttypes.h, which would otherwise not be // available in C++. #ifndef __STDC_FORMAT_MACROS From d6d7f33f5c62fef59f6bce3892d5c81f1d333755 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 12 Dec 2017 11:35:55 -0600 Subject: [PATCH 141/147] Clean up PortManager class, mark PortVal ctors deprecated. Moved PortVal ctors back to public API, but deprecated, just in case it helps give any external code a chance to adapt. --- src/Val.cc | 29 ++++++++++++++++++++--------- src/Val.h | 21 ++++++++++++++++----- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/src/Val.cc b/src/Val.cc index abae677754..4db8aedd73 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -768,7 +768,7 @@ PortManager::PortManager() auto port_type = (TransportProto)i; for ( auto j = 0u; j < arr.size(); ++j ) - arr[j] = new PortVal(j, port_type); + arr[j] = new PortVal(Mask(j, port_type), true); } } @@ -807,34 +807,45 @@ PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const return rval; } -PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT) +uint32 PortManager::Mask(uint32 port_num, TransportProto port_type) const { // Note, for ICMP one-way connections: // src_port = icmp_type, dst_port = icmp_code. - if ( p >= 65536 ) + if ( port_num >= 65536 ) { - InternalWarning("bad port number"); - p = 0; + reporter->Warning("bad port number %d", port_num); + port_num = 0; } switch ( port_type ) { case TRANSPORT_TCP: - p |= TCP_PORT_MASK; + port_num |= TCP_PORT_MASK; break; case TRANSPORT_UDP: - p |= UDP_PORT_MASK; + port_num |= UDP_PORT_MASK; break; case TRANSPORT_ICMP: - p |= ICMP_PORT_MASK; + port_num |= ICMP_PORT_MASK; break; default: - break; // "other" + break; // "unknown/other" } + return port_num; + } + +PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT) + { + auto port_num = port_mgr->Mask(p, port_type); + val.uint_val = static_cast(port_num); + } + +PortVal::PortVal(uint32 p, bool unused) : Val(TYPE_PORT) + { val.uint_val = static_cast(p); } diff --git a/src/Val.h b/src/Val.h index d0538db8ee..6da37b7137 100644 --- a/src/Val.h +++ b/src/Val.h @@ -510,9 +510,15 @@ public: ~PortManager(); // Port number given in host order. - PortVal* Get(uint32 port_num) const; PortVal* Get(uint32 port_num, TransportProto port_type) const; + // Host-order port number already masked with port space protocol mask. + PortVal* Get(uint32 port_num) const; + + // Returns a masked port number + uint32 Mask(uint32 port_num, TransportProto port_type) const; + +private: std::array, NUM_PORT_SPACES> ports; }; @@ -520,6 +526,14 @@ extern PortManager* port_mgr; class PortVal : public Val { public: + // Port number given in host order. + BRO_DEPRECATED("use port_mgr->Get() instead") + PortVal(uint32 p, TransportProto port_type); + + // Host-order port number already masked with port space protocol mask. + BRO_DEPRECATED("use port_mgr->Get() instead") + PortVal(uint32 p); + Val* SizeVal() const override { return new Val(val.uint_val, TYPE_INT); } // Returns the port number in host order (not including the mask). @@ -546,10 +560,7 @@ protected: friend class Val; friend class PortManager; PortVal() {} - // Constructors - both take the port number in host order. - PortVal(uint32 p, TransportProto port_type); - PortVal(uint32 p); // used for already-massaged port value. - + PortVal(uint32 p, bool unused); void ValDescribe(ODesc* d) const override; From ac955519b2f6279699d3e335ec993b5b615209ff Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 13 Dec 2017 15:00:15 -0500 Subject: [PATCH 142/147] Remove some DNS weirds that caused volume and didn't help anyone. These have been lingering for a while and they generally annoy everyone because of the sheer volume. They also don't really add any useful information for debugging and they were generated differently than most other weirds anyway (which was a little weird...). --- scripts/base/protocols/dns/main.bro | 14 ++------------ .../weird.log | 6 ++---- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index db5d30b55c..a8946e871e 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -2,7 +2,6 @@ ##! their responses. @load base/utils/queue -@load base/frameworks/notice/weird @load ./consts module DNS; @@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue) for ( i in infos ) { - local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid, - $id=infos[i]$id); - Weird::weird(wi); Log::write(DNS::LOG, infos[i]); } } @@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue) function log_unmatched_msgs(msgs: PendingMessages) { for ( trans_id in msgs ) + { log_unmatched_msgs_queue(msgs[trans_id]); + } clear_table(msgs); } function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info) { - local wi: Weird::Info; if ( id !in msgs ) { if ( |msgs| > max_pending_query_ids ) { - wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid, - $id=msg$id); - Weird::weird(wi); # Throw away all unmatched on assumption they'll never be matched. log_unmatched_msgs(msgs); } @@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info) { if ( Queue::len(msgs[id]) > max_pending_msgs ) { - wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid, - $id=msg$id); - Weird::weird(wi); log_unmatched_msgs_queue(msgs[id]); # Throw away all unmatched on assumption they'll never be matched. msgs[id] = Queue::init(); @@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 # Create a new DNS session and put it in the reply queue so # we can wait for a matching query. c$dns = new_session(c, msg$id); - event conn_weird("dns_unmatched_reply", c, ""); enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns); } } diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log index d06db5cb06..e9d388f1fc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log @@ -3,10 +3,8 @@ #empty_field (empty) #unset_field - #path weird -#open 2016-07-13-16-16-12 +#open 2017-12-13-19-40-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro -1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_reply - F bro -1363716396.798374 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_msg - F bro -#close 2016-07-13-16-16-12 +#close 2017-12-13-19-40-49 From f236dcdaa3ef1fa167ce58d9d7edbe7cfb86a98c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 13 Dec 2017 15:09:52 -0500 Subject: [PATCH 143/147] Updated news. --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index a219e76624..ad1ec55afd 100644 --- a/NEWS +++ b/NEWS @@ -56,6 +56,9 @@ Changed Functionality redef SOCKS::default_capture_password = T; +- The DNS base scripts no longer generate some noisy and annoying + weirds (dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply) + Removed Functionality --------------------- From 4965a7e1562cc05d81e769815f64b0dd235e7791 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 13 Dec 2017 14:22:47 -0600 Subject: [PATCH 144/147] Fix typo in analyzer::Manager API docs --- CHANGES | 4 ++++ VERSION | 2 +- src/analyzer/Manager.h | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 1a6721eeb0..f084b5da97 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-369 | 2017-12-13 14:22:47 -0600 + + * Fix typo in analyzer::Manager API docs (Corelight) + 2.5-368 | 2017-12-08 13:09:25 -0600 * Improve for-loop iteration performance over empty tables. (Justin Azoff) diff --git a/VERSION b/VERSION index 91bd48a9c6..e28d3e68fa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-368 +2.5-369 diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 2388a36219..d341940e7d 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -114,7 +114,7 @@ public: bool DisableAnalyzer(Tag tag); /** - * Enables an analyzer type. Disabled analyzers will not be + * Disables an analyzer type. Disabled analyzers will not be * instantiated for new connections. * * @param tag The analyzer's tag as an enum of script type \c From 8b28b7312405308b54118ea991088739e3318dd3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 2 Jan 2018 09:12:09 +0100 Subject: [PATCH 145/147] Add CVE ID for BIT-1856. --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9a7c010b96..35115b2acc 100644 --- a/CHANGES +++ b/CHANGES @@ -101,7 +101,7 @@ * Patch OOB write in content-line analyzer. A combination of packets can trigger an out of bound write of '0' byte - in the content-line analyzer. Addresses BIT-1856. + in the content-line analyzer. Addresses BIT-1856 / CVE-2017-1000458. (Frank Meier/Johanna Amann) 2.5-327 | 2017-10-16 12:21:01 -0700 From 7cb6cf24a6aad19a95768098eeac263508c44a4b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 9 Jan 2018 12:16:17 -0500 Subject: [PATCH 146/147] Functions for retrieving files by their id. There are two new script level functions to query and lookup files from the core by their IDs. These are adding feature parity for similarly named functions for files. The function prototypes are as follows: Files::file_exists(fuid: string): bool Files::lookup_File(fuid: string): fa_file --- scripts/base/frameworks/files/main.bro | 24 +++++++ src/file_analysis/Manager.h | 62 +++++++++---------- src/file_analysis/file_analysis.bif | 22 +++++++ .../.stdout | 9 +++ .../bifs/file_exists_lookup_file.bro | 21 +++++++ 5 files changed, 107 insertions(+), 31 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout create mode 100644 testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index ed73028236..71147a77aa 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -135,6 +135,20 @@ export { ## The default per-file reassembly buffer size. const reassembly_buffer_size = 524288 &redef; + ## Lookup to see if a particular file id exists and is still valid. + ## + ## fuid: the file id. + ## + ## Returns: T if the file uid is known. + global file_exists: function(fuid: string): bool; + + ## Lookup an :bro:see:`fa_file` record with the file id. + ## + ## fuid: the file id. + ## + ## Returns: the associated :bro:see:`fa_file` record. + global lookup_file: function(fuid: string): fa_file; + ## Allows the file reassembler to be used if it's necessary because the ## file is transferred out of order. ## @@ -338,6 +352,16 @@ function set_info(f: fa_file) f$info$is_orig = f$is_orig; } +function file_exists(fuid: string): bool + { + return __file_exists(fuid); + } + +function lookup_file(fuid: string): fa_file + { + return __lookup_file(fuid); + } + function set_timeout_interval(f: fa_file, t: interval): bool { return __set_timeout_interval(f$id, t); diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index dec308236a..1a5fb55f89 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -256,6 +256,14 @@ public: bool SetExtractionLimit(const string& file_id, RecordVal* args, uint64 n) const; + /** + * Try to retrieve a file that's being analyzed, using its identifier/hash. + * @param file_id the file identifier/hash. + * @return the File object mapped to \a file_id, or a null pointer if no + * mapping exists. + */ + File* LookupFile(const string& file_id) const; + /** * Queue attachment of an analzer to the file identifier. Multiple * analyzers of a given type can be attached per file identifier at a time @@ -332,37 +340,6 @@ protected: typedef PDict(bool) IDSet; typedef PDict(File) IDMap; - /** - * Create a new file to be analyzed or retrieve an existing one. - * @param file_id the file identifier/hash. - * @param conn network connection, if any, over which the file is - * transferred. - * @param tag network protocol, if any, over which the file is transferred. - * @param is_orig true if the file is being sent from connection originator - * or false if is being sent in the opposite direction (or if it - * this file isn't related to a connection). - * @param update_conn whether we need to update connection-related field - * in the \c fa_file record value associated with the file. - * @param an optional value of the source field to fill in. - * @return the File object mapped to \a file_id or a null pointer if - * analysis is being ignored for the associated file. An File - * object may be created if a mapping doesn't exist, and if it did - * exist, the activity time is refreshed along with any - * connection-related fields. - */ - File* GetFile(const string& file_id, Connection* conn = 0, - analyzer::Tag tag = analyzer::Tag::Error, - bool is_orig = false, bool update_conn = true, - const char* source_name = 0); - - /** - * Try to retrieve a file that's being analyzed, using its identifier/hash. - * @param file_id the file identifier/hash. - * @return the File object mapped to \a file_id, or a null pointer if no - * mapping exists. - */ - File* LookupFile(const string& file_id) const; - /** * Evaluate timeout policy for a file and remove the File object mapped to * \a file_id if needed. @@ -392,6 +369,29 @@ protected: */ std::string GetFileID(analyzer::Tag tag, Connection* c, bool is_orig); + /** + * Create a new file to be analyzed or retrieve an existing one. + * @param file_id the file identifier/hash. + * @param conn network connection, if any, over which the file is + * transferred. + * @param tag network protocol, if any, over which the file is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction (or if it + * this file isn't related to a connection). + * @param update_conn whether we need to update connection-related field + * in the \c fa_file record value associated with the file. + * @param an optional value of the source field to fill in. + * @return the File object mapped to \a file_id or a null pointer if + * analysis is being ignored for the associated file. An File + * object may be created if a mapping doesn't exist, and if it did + * exist, the activity time is refreshed along with any + * connection-related fields. + */ + File* GetFile(const string& file_id, Connection* conn = 0, + analyzer::Tag tag = analyzer::Tag::Error, + bool is_orig = false, bool update_conn = true, + const char* source_name = 0); + /** * Check if analysis is available for files transferred over a given * network protocol. diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 480d8c84d8..f445a9cf6a 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -71,6 +71,28 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string return new StringVal(file_mgr->GetComponentName(tag)); %} +## :bro:see:`Files::file_exists`. +function Files::__file_exists%(fuid: string%): bool + %{ + if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr ) + return new Val(true, TYPE_BOOL); + else + return new Val(false, TYPE_BOOL); + %} + +## :bro:see:`Files::lookup_file`. +function Files::__lookup_file%(fuid: string%): fa_file + %{ + auto f = file_mgr->LookupFile(fuid->CheckString()); + if ( f != nullptr ) + { + return f->GetVal()->Ref(); + } + + reporter->Error("file ID %s not a known file", fuid->CheckString()); + return 0; + %} + module GLOBAL; ## For use within a :bro:see:`get_file_handle` handler to set a unique diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout new file mode 100644 index 0000000000..d5dd2cab55 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout @@ -0,0 +1,9 @@ +error: file ID asdf not a known file +warning: non-void function returns without a value: Files::lookup_file +This should fail but not crash +This should return F +F +lookup fid: FakNcS1Jfe01uljb3 +We should have found the file id: FakNcS1Jfe01uljb3 +This should return T +T diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro new file mode 100644 index 0000000000..cba82bbfab --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro @@ -0,0 +1,21 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT 2>&1 +# @TEST-EXEC: btest-diff .stdout + +event bro_init() + { + print "This should fail but not crash"; + print Files::lookup_file("asdf"); + + print "This should return F"; + print Files::file_exists("asdf"); + } + +event file_sniff(f: fa_file, meta: fa_metadata) + { + print "lookup fid: " + f$id; + local looked_up_file = Files::lookup_file(f$id); + print "We should have found the file id: " + looked_up_file$id ; + + print "This should return T"; + print Files::file_exists(f$id); + } From f7c115a47aa92ab4956cb815b708e8f1b8fb8fda Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 10 Jan 2018 13:20:02 -0600 Subject: [PATCH 147/147] Fix a test that fails in some environments The "coverage/init-default.test" will always fail if there is a path component named "build" anywhere before the bro install directory (for example, if the tests are run from home dir of a user named "build"). Fixed this by making a regex more specific so that it matches the correct lines in loaded_scripts.log. --- testing/btest/coverage/init-default.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test index 6877159c62..d736277d49 100644 --- a/testing/btest/coverage/init-default.test +++ b/testing/btest/coverage/init-default.test @@ -11,7 +11,7 @@ #@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found" #@TEST-EXEC: bro misc/loaded-scripts -#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro|#' | sed 's#/./#/#g' >loaded_scripts.log.tmp +#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/scripts/|/loaded-scripts.bro|#' | sed 's#/./#/#g' >loaded_scripts.log.tmp #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro #@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads