Merge remote-tracking branch 'origin/master' into topic/johanna/websockets

2025-10-14 04:28:20 +00:00 · 2018-01-12 10:27:23 -08:00 · 2018-01-12 10:27:23 -08:00 · cd345caadb
commit cd345caadb
parent eab80c8834 cc738544eb
229 changed files with 6335 additions and 1407 deletions
--- a/testing/btest/scripts/base/files/data_event/basic.bro
+++ b/testing/btest/scripts/base/files/data_event/basic.bro
@ -0,0 +1,20 @@
+# Just a very basic test to check if ANALYZER_DATA_EVENT works.
+# Also check if "in" works with binary data.
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+event stream_data(f: fa_file, data: string)
+	{
+	if ( "Windows" in data )
+		{
+		print "Found";
+		}
+	}
+
+event file_new (f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+		[$stream_event=stream_data]);
+	}
+
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@ -0,0 +1,62 @@
+# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load protocols/ssl/validate-certs
+
+redef SSL::ssl_store_valid_chain = T;
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( |c$ssl$valid_chain| < 2 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash);
+		}
+	}
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm);
+	print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm);
+	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT 2>&1
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	print "This should fail but not crash";
+	print Files::lookup_file("asdf");
+
+	print "This should return F";
+	print Files::file_exists("asdf");
+	}
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+	{
+	print "lookup fid: " + f$id;
+	local looked_up_file = Files::lookup_file(f$id);
+	print "We should have found the file id: " + looked_up_file$id ;
+
+	print "This should return T";
+	print Files::file_exists(f$id);
+	}
--- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
@ -1,6 +1,10 @@
+# @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly.
 #
+# @TEST-EXEC: bro -b %INPUT test-json.bro
+# @TEST-EXEC: mv test.log json.log
 # @TEST-EXEC: bro -b %INPUT
 # @TEST-EXEC: btest-diff test.log
+# @TEST-EXEC: btest-diff json.log
 # 
 # Make sure  we do not write out scientific notation for doubles.

@ -14,16 +18,68 @@ export {
 	};
 }

-event bro_init()
+function logwrite(val: double)
 {
-	Log::create_stream(Test::LOG, [$columns=Info]);
-	Log::write(Test::LOG, [$d=2153226000.0]);
-	Log::write(Test::LOG, [$d=2153226000.1]);
-	Log::write(Test::LOG, [$d=2153226000.123456789]);
-	Log::write(Test::LOG, [$d=1.0]);
-	Log::write(Test::LOG, [$d=1.1]);
-	Log::write(Test::LOG, [$d=1.123456789]);
-	Log::write(Test::LOG, [$d=1.1234]);
-	Log::write(Test::LOG, [$d=3.14e15]);
+	Log::write(Test::LOG, [$d=val]);
 }

+event bro_init()
+{
+	local d: double;
+	local dmax: double = 1.79e308;
+	local dmin: double = 2.23e-308;
+
+	Log::create_stream(Test::LOG, [$columns=Info]);
+
+	# relatively large values
+	logwrite(2153226000.0);
+	logwrite(2153226000.1);
+	logwrite(2153226000.123456789);
+
+	# relatively small values
+	logwrite(1.0);
+	logwrite(1.1);
+	logwrite(1.123456789);
+	logwrite(-1.123456789);
+	logwrite(1.1234);
+	logwrite(.1234);
+
+	# scientific notation (positive exponents)
+	logwrite(5e4);
+	logwrite(-5e4);
+	logwrite(3.14e15);
+	logwrite(-3.14e15);
+	logwrite(dmax);
+	logwrite(-dmax);
+
+	# scientific notation (negative exponents)
+	logwrite(1.23456789e-5);
+	logwrite(dmin);
+	logwrite(-dmin);
+
+	# inf
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	logwrite(d);
+
+	# -inf
+	d = -dmax;      # ok
+	d = d * 2.0;    # -inf
+	logwrite(d);
+
+	# negative zero (compares equal to 0.0, but has different representation)
+	d = -0.0;
+	logwrite(d);
+
+	# nan
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	d = d * 0.0;    # nan
+	logwrite(d);
+}
+
+# @TEST-START-FILE test-json.bro
+
+redef LogAscii::use_json = T;
+
+# @TEST-END-FILE
--- a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
@ -0,0 +1,25 @@
+# Test that log rotation works with compressed logs.
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip test.*.log.gz
+#
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		s: string;
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef LogAscii::gzip_level = 1;
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+
+	Log::write(Test::LOG, [$s="testing"]);
+}
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
 # @TEST-EXEC: btest-diff netcontrol_catch_release.log

@load base/frameworks/netcontrol
--- a/testing/btest/scripts/base/protocols/irc/longline.test
+++ b/testing/btest/scripts/base/protocols/irc/longline.test
@ -0,0 +1,6 @@
+# This tests that an excessively long line is truncated by the contentline
+# analyzer
+
+# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
--- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log

@load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks
--- a/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
+++ b/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
@ -0,0 +1,6 @@
+# This tests a successful login with pubkey using curve25519 as the KEX algorithm
+
+# @TEST-EXEC: bro -b -r $TRACES/ssh/ssh_kex_curve25519.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+@load base/protocols/ssh
--- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@ -0,0 +1,116 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+
+# Test the new client and server key exchange events.
+
+@load base/protocols/ssl
+@load base/files/x509
+@load protocols/ssl/extract-certs-pem.bro
+
+module SSL;
+
+export {
+	redef record Info += {
+		# ClientHello
+		client_random: string &log &optional;
+		client_cipher_suites: string &log &optional;
+
+		# ServerHello
+		server_random: string &log &optional;
+
+		# ServerKeyExchange
+		server_dh_p: string &log &optional;
+		server_dh_q: string &log &optional;
+		server_dh_Ys: string &log &optional;
+		server_ecdh_point: string &log &optional;
+		server_signature: string &log &optional;
+
+		# ServerCertificate
+		server_cert_sha1: string &log &optional;
+
+		# ClientKeyExchange
+		client_rsa_pms: string &log &optional;
+		client_dh_Yc: string &log &optional;
+		client_ecdh_point: string &log &optional;
+	};
+
+	## Control if host certificates offered by the defined hosts
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+	redef extract_certs_pem = ALL_HOSTS;
+}
+
+event ssl_established(c: connection) &priority=5
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+	local ciphers_str = "";
+	for (i in ciphers)
+		{
+			ciphers_str += cipher_desc[ciphers[i]];
+			if ( i != |ciphers|-1)
+				{
+					ciphers_str += ",";
+				}
+		}
+	c$ssl$client_cipher_suites = ciphers_str;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_dh_p = bytestring_to_hexstr(p);
+	c$ssl$server_dh_q = bytestring_to_hexstr(q);
+	c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+	}
+
+event ssl_server_signature(c: connection, signed_params: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_signature = bytestring_to_hexstr(signed_params);
+	}
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+	}
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+	}
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+	}
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@ -0,0 +1,43 @@
+# This tests a normal OCSP request sent through HTTP GET
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@ -0,0 +1,42 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@ -0,0 +1,43 @@
+# This tests a pair of normal OCSP request and response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@ -0,0 +1,43 @@
+# This tests a normal OCSP response missing request
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@ -0,0 +1,43 @@
+# This tests OCSP response with revocation
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@ -0,0 +1,39 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg);
+		}
+	}
--- a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
@ -0,0 +1,16 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
+# to be an undocumented extension where the TLS version is negotiated via the server sending back
+# an supported_versions extension (which, according to the RFC is strictly prohibited).
+#
+# This only seems to happen with Chrome talking to google servers. We do not recognize this as
+# TLS 1.3, but we do not abort when encountering traffic like this.
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	if ( ! is_orig && code == 43 )
+		print bytestring_to_hexstr(val);
+	}