Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add btest and fix bug

Browse source
This commit is contained in:
Liang Zhu 2015-06-19 09:37:10 -07:00
parent d84d1d24e8
commit d1c568663c
11 changed files with 58 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

19
scripts/base/files/ocsp/main.bro
View file

@ -30,7 +30,7 @@ export {
## NOTE: the above are for one file which may constain
## several ocsp requests
## request cert id
certId: OCSP::CertId &log &optional;
certId: OCSP::CertId &optional;
};
## NOTE: one file could contain several response
@ -54,7 +54,8 @@ export {
## NOTE: the following are specific to one cert id
## the above are for one file which may contain
## several responses
##cert id
certId: OCSP::CertId &optional;
## certStatus (this is the response to look at)
certStatus: string &log &optional;
## thisUpdate
@ -67,8 +68,9 @@ export {
## timestamp for request if both request is present
## OR timestamp for response if request is not found
ts: time &log;
req: Info_req &log &optional;
resp: Info_resp &log &optional;
certId: OCSP::CertId &log &optional;
req: Info_req &log &optional;
resp: Info_resp &log &optional;
};
## Event for accessing logged OCSP records.
@ -181,23 +183,24 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
$version = resp$version,
$responderID = resp$responderID,
$producedAt = resp$producedAt,
$certId = cert_id,
$certStatus = single_resp$certStatus,
$thisUpdate = single_resp$thisUpdate];
if (single_resp?$nextUpdate)
resp_rec$nextUpdate = single_resp$nextUpdate;
if (cert_id in conn$ocsp_requests)
if (conn?$ocsp_requests && cert_id in conn$ocsp_requests)
{
# find a match
local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]);
Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]);
if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
}
else
{
# do not find a match; this is weird but log it
Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]);
Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]);
}
}
}
@ -220,7 +223,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
Queue::get_vector(q, reqs);
for ( i in reqs )
Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]);
Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]);
}
function log_unmatched_msgs(msgs: PendingRequests)

6
src/file_analysis/analyzer/ocsp/OCSP.cc
View file

@ -52,6 +52,8 @@ static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type)
}
else if (type == V_ASN1_INTEGER)
{
// NOTE: this will print the hex number
// wireshark may display decimal number
if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0)
goto err;
}
@ -183,7 +185,7 @@ static void ocsp_print_cert_id(OCSP_CERTID *cid)
printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString());
//print serialNumber
new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash));
new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber));
StringVal serialNumber = StringVal(new_len, buf);
printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString());
}
@ -217,7 +219,7 @@ static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d)
//serialNumber
len = -1;
len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash));
len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber));
if (len > 0)
d->Assign(3, new StringVal(len, buf));
}

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-33
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - - - - - - - - - -
#close 2015-06-19-16-32-33

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-23
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.046145 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 FMbJOe2y5n1E7iSVsg 0 - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-23

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-06-19-16-32-39
#fields ts certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.certStatus resp.thisUpdate resp.nextUpdate
#types time string string string string string count string string string string count string string string string string
1434666864.070748 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 081C862DC8AAC9 - - - Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 20150618220334Z good 20150618220334Z 20150620100334Z
#close 2015-06-19-16-32-39

BIN
testing/btest/Traces/tls/ocsp-request-only.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tls/ocsp-request-response.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tls/ocsp-response-only.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a OCSP request missing response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log

4
testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a pair of normal OCSP request and response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log

4
testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a normal OCSP response missing request
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log