Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add btest and fix bug

Browse source
This commit is contained in:
Liang Zhu 2015-06-19 09:37:10 -07:00
parent d84d1d24e8
commit d1c568663c
11 changed files with 58 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/base/files/ocsp/main.bro
View file

@ -30,7 +30,7 @@ export {
## NOTE: the above are for one file which may constain ## NOTE: the above are for one file which may constain
## several ocsp requests ## several ocsp requests
## request cert id ## request cert id
certId: OCSP::CertId &log &optional; certId: OCSP::CertId &optional;
}; };
## NOTE: one file could contain several response ## NOTE: one file could contain several response
@ -54,7 +54,8 @@ export {
## NOTE: the following are specific to one cert id ## NOTE: the following are specific to one cert id
## the above are for one file which may contain ## the above are for one file which may contain
## several responses ## several responses
##cert id
certId: OCSP::CertId &optional;
## certStatus (this is the response to look at) ## certStatus (this is the response to look at)
certStatus: string &log &optional; certStatus: string &log &optional;
## thisUpdate ## thisUpdate
@ -67,6 +68,7 @@ export {
## timestamp for request if both request is present ## timestamp for request if both request is present
## OR timestamp for response if request is not found ## OR timestamp for response if request is not found
ts: time &log; ts: time &log;
certId: OCSP::CertId &log &optional;
req: Info_req &log &optional; req: Info_req &log &optional;
resp: Info_resp &log &optional; resp: Info_resp &log &optional;
}; };
@ -181,23 +183,24 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
$version = resp$version, $version = resp$version,
$responderID = resp$responderID, $responderID = resp$responderID,
$producedAt = resp$producedAt, $producedAt = resp$producedAt,
$certId = cert_id,
$certStatus = single_resp$certStatus, $certStatus = single_resp$certStatus,
$thisUpdate = single_resp$thisUpdate]; $thisUpdate = single_resp$thisUpdate];
if (single_resp?$nextUpdate) if (single_resp?$nextUpdate)
resp_rec$nextUpdate = single_resp$nextUpdate; resp_rec$nextUpdate = single_resp$nextUpdate;
if (cert_id in conn$ocsp_requests) if (conn?$ocsp_requests && cert_id in conn$ocsp_requests)
{ {
# find a match # find a match
local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]); local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]); Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]);
if (Queue::len(conn$ocsp_requests[cert_id]) == 0) if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it? delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
} }
else else
{ {
# do not find a match; this is weird but log it # do not find a match; this is weird but log it
Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]); Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]);
} }
} }
} }
@ -220,7 +223,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
Queue::get_vector(q, reqs); Queue::get_vector(q, reqs);
for ( i in reqs ) for ( i in reqs )
Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]); Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]);
} }
function log_unmatched_msgs(msgs: PendingRequests) function log_unmatched_msgs(msgs: PendingRequests)

6
src/file_analysis/analyzer/ocsp/OCSP.cc
View file

@ -52,6 +52,8 @@ static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type)
} }
else if (type == V_ASN1_INTEGER) else if (type == V_ASN1_INTEGER)
{ {
// NOTE: this will print the hex number
// wireshark may display decimal number
if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0) if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0)
goto err; goto err;
} }
@ -183,7 +185,7 @@ static void ocsp_print_cert_id(OCSP_CERTID *cid)
printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString()); printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString());
//print serialNumber //print serialNumber
new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash)); new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber));
StringVal serialNumber = StringVal(new_len, buf); StringVal serialNumber = StringVal(new_len, buf);
printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString()); printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString());
} }
@ -217,7 +219,7 @@ static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d)
//serialNumber //serialNumber
len = -1; len = -1;
len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash)); len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber));
if (len > 0) if (len > 0)
d->Assign(3, new StringVal(len, buf)); d->Assign(3, new StringVal(len, buf));
} }

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-33
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - -
#close 2015-06-19-16-32-33

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-23
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-23

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-39
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-39

BIN
testing/btest/Traces/tls/ocsp-request-only.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tls/ocsp-request-response.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tls/ocsp-response-only.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a OCSP request missing response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log

4
testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a pair of normal OCSP request and response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log

4
testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a normal OCSP response missing request
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log