Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Prefer explicit construction to coercion in record initialization

Browse source 
While we support initializing records via coercion from an expression
list, e.g.,

    local x: X = [$x1=1, $x2=2];

this can sometimes obscure the code to readers, e.g., when assigning to
value declared and typed elsewhere. The language runtime has a similar
overhead since instead of just constructing a known type it needs to
check at runtime that the coercion from the expression list is valid;
this can be slower than just writing the readible code in the first
place, see #4559.

With this patch we use explicit construction, e.g.,

    local x = X($x1=1, $x2=2);
This commit is contained in:
Benjamin Bannier 2025-07-10 09:42:44 +02:00 committed by Christian Kreibich
parent 54f9e45597
commit d5fd29edcd
139 changed files with 786 additions and 788 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/policy/protocols/conn/known-hosts.zeek
View file

@ -150,7 +150,7 @@ event Known::host_found(info: HostsInfo)
event zeek_init() &priority=5
{
Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts]);
Log::create_stream(Known::HOSTS_LOG, Log::Stream($columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts));
}
event connection_established(c: connection) &priority=5
@ -165,5 +165,5 @@ event connection_established(c: connection) &priority=5
for ( host in set(id$orig_h, id$resp_h) )
if ( addr_matches_host(host, host_tracking) )
event Known::host_found([$ts = network_time(), $host = host]);
event Known::host_found(Known::HostsInfo($ts = network_time(), $host = host));
}

13
scripts/policy/protocols/conn/known-services.zeek
View file

@ -238,9 +238,8 @@ event known_service_add(info: ServicesInfo)
}
}
@if ( ! Cluster::is_enabled() ||
Cluster::local_node_type() == Cluster::PROXY )
Log::write(Known::SERVICES_LOG, info_to_log);
@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::PROXY )
Log::write(Known::SERVICES_LOG, info_to_log);
@endif
}
@ -376,8 +375,8 @@ event connection_state_remove(c: connection) &priority=-5
event zeek_init() &priority=5
{
Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
$ev=log_known_services,
$path="known_services",
$policy=log_policy_services]);
Log::create_stream(Known::SERVICES_LOG, Log::Stream($columns=ServicesInfo,
$ev=log_known_services,
$path="known_services",
$policy=log_policy_services));
}

16
scripts/policy/protocols/conn/weirds.zeek
View file

@ -19,16 +19,16 @@ export {
event rexmit_inconsistency(c: connection, t1: string, t2: string, tcp_flags: string)
{
NOTICE([$note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]",
id_string(c$id), t1, t2, tcp_flags),
$identifier=fmt("%s", c$id)]);
NOTICE(Notice::Info($note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]",
id_string(c$id), t1, t2, tcp_flags),
$identifier=fmt("%s", c$id)));
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
NOTICE([$note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)",
id_string(c$id), is_orig ? ">" : "<", seq, length)]);
NOTICE(Notice::Info($note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)",
id_string(c$id), is_orig ? ">" : "<", seq, length)));
}

28
scripts/policy/protocols/dhcp/software.zeek
View file

@ -30,9 +30,9 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
else
{
log_info$server_software = options$vendor_class;
Software::found(id, [$unparsed_version=options$vendor_class,
$host=id$resp_h,
$software_type=DHCP::SERVER]);
Software::found(id, Software::Info($unparsed_version=options$vendor_class,
$host=id$resp_h,
$software_type=DHCP::SERVER));
}
}
}
@ -42,24 +42,24 @@ event DHCP::log_dhcp(rec: DHCP::Info)
if ( rec?$assigned_addr && rec?$server_addr &&
(rec?$client_software || rec?$server_software) )
{
local id: conn_id = [$orig_h=rec$assigned_addr,
$orig_p=rec$client_port,
$resp_h=rec$server_addr,
$resp_p=rec$server_port,
$proto=17]; # DHCP is typically UDP
local id = conn_id($orig_h=rec$assigned_addr,
$orig_p=rec$client_port,
$resp_h=rec$server_addr,
$resp_p=rec$server_port,
$proto=17); # DHCP is typically UDP
if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
{
Software::found(id, [$unparsed_version=rec$client_software,
$host=rec$assigned_addr, $host_p=id$orig_p,
$software_type=DHCP::CLIENT]);
Software::found(id, Software::Info($unparsed_version=rec$client_software,
$host=rec$assigned_addr, $host_p=id$orig_p,
$software_type=DHCP::CLIENT));
}
if ( rec?$server_software )
{
Software::found(id, [$unparsed_version=rec$server_software,
$host=rec$server_addr, $host_p=id$resp_p,
$software_type=DHCP::SERVER]);
Software::found(id, Software::Info($unparsed_version=rec$server_software,
$host=rec$server_addr, $host_p=id$resp_p,
$software_type=DHCP::SERVER));
}
}
}

8
scripts/policy/protocols/dns/detect-external-names.zeek
View file

@ -33,10 +33,10 @@ function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a:
if ( Site::is_local_addr(a) && # referring to a local host
! Site::is_local_name(ans$query) ) # name isn't in a local zone.
{
NOTICE([$note=External_Name,
$msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
$conn=c,
$identifier=cat(a,ans$query)]);
NOTICE(Notice::Info($note=External_Name,
$msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
$conn=c,
$identifier=cat(a,ans$query)));
}
}

42
scripts/policy/protocols/ftp/detect-bruteforcing.zeek
View file

@ -27,26 +27,26 @@ export {
event zeek_init()
{
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
SumStats::create([$name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2));
SumStats::create(SumStats::SumStat($name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE(Notice::Info($note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)));
}));
}
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
@ -55,6 +55,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
if ( cmd == "USER" || cmd == "PASS" )
{
if ( FTP::parse_ftp_reply_code(code)$x == 5 )
SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
SumStats::observe("ftp.failed_auth", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=cat(c$id$resp_h)));
}
}

6
scripts/policy/protocols/ftp/detect.zeek
View file

@ -22,8 +22,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
c$ftp$cmdarg$cmd == "SITE" &&
/[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
{
NOTICE([$note=Site_Exec_Success, $conn=c,
$msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg),
$identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")]);
NOTICE(Notice::Info($note=Site_Exec_Success, $conn=c,
$msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg),
$identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")));
}
}

2
scripts/policy/protocols/ftp/software.zeek
View file

@ -23,6 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
{
if ( command == "CLNT" )
{
Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
Software::found(c$id, Software::Info($unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT));
}
}

32
scripts/policy/protocols/http/detect-sql-injection.zeek
View file

@ -72,7 +72,7 @@ event zeek_init() &priority=3
$num_samples=1
);
SumStats::create([
SumStats::create(SumStats::SumStat(
$name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
@ -86,16 +86,16 @@ event zeek_init() &priority=3
local r = result["http.sqli.attacker"];
local dst = to_addr(r$samples[0]$str);
local uid = r$samples[0]$uid;
NOTICE([$note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$uid=uid,
$src=key$host,
$dst=dst,
$identifier=cat(key$host)]);
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$uid=uid,
$src=key$host,
$dst=dst,
$identifier=cat(key$host)));
}
]);
));
SumStats::create([
SumStats::create(SumStats::SumStat(
$name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
@ -109,14 +109,14 @@ event zeek_init() &priority=3
local r = result["http.sqli.victim"];
local src = to_addr(r$samples[0]$str);
local uid = r$samples[0]$uid;
NOTICE([$note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$uid=uid,
$src=src,
$dst=key$host,
$identifier=cat(key$host)]);
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$uid=uid,
$src=src,
$dst=key$host,
$identifier=cat(key$host)));
}
]);
));
}
event http_request(c: connection, method: string, original_URI: string,

76
scripts/policy/protocols/http/detect-sqli.zeek
View file

@ -87,43 +87,43 @@ event zeek_init() &priority=3
# Add filters to the metrics so that the metrics framework knows how to
# determine when it looks like an actual attack and how to respond when
# thresholds are crossed.
local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
SumStats::create([$name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE([$note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
SumStats::create([$name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE([$note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
}
event http_request(c: connection, method: string, original_URI: string,
@ -136,7 +136,7 @@ event http_request(c: connection, method: string, original_URI: string,
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
}
}

2
scripts/policy/protocols/http/detect-webapps.zeek
View file

@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
local c = state$conn;
local si: Software::Info;
si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
si = Software::Info($name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION);
si$url = build_url_http(c$http);
Software::found(c$id, si);
}

4
scripts/policy/protocols/http/software-browser-plugins.zeek
View file

@ -61,7 +61,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
}
Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
Software::found(c$id, Software::Info($unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN));
}
}
@ -81,7 +81,7 @@ event log_http(rec: Info)
local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/);
for ( i in plugins )
Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
Software::found(rec$id, Software::Info($unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN));
}
}
}

8
scripts/policy/protocols/http/software.zeek
View file

@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
if ( is_orig )
{
if ( name == "USER-AGENT" && ignored_user_agents !in value )
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER));
}
else
{
if ( name == "SERVER" )
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER));
else if ( name == "X-POWERED-BY" )
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
{
value = cat("SharePoint/", value);
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
}
}
}

6
scripts/policy/protocols/modbus/known-masters-slaves.zeek
View file

@ -37,7 +37,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus]);
Log::create_stream(Known::MODBUS_LOG, Log::Stream($columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus));
}
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
@ -48,13 +48,13 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
if ( [master, MODBUS_MASTER] !in modbus_nodes )
{
add modbus_nodes[master, MODBUS_MASTER];
Log::write(MODBUS_LOG, [$ts=network_time(), $host=master, $device_type=MODBUS_MASTER]);
Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=master, $device_type=MODBUS_MASTER));
}
if ( [slave, MODBUS_SLAVE] !in modbus_nodes )
{
add modbus_nodes[slave, MODBUS_SLAVE];
Log::write(MODBUS_LOG, [$ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE]);
Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE));
}
}

8
scripts/policy/protocols/modbus/track-memmap.zeek
View file

@ -56,7 +56,7 @@ redef record Modbus::Info += {
event zeek_init() &priority=5
{
Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change]);
Log::create_stream(Modbus::REGISTER_CHANGE_LOG, Log::Stream($columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change));
}
event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
@ -92,7 +92,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
}
else
{
local tmp_reg: RegisterValue = [$last_set=network_time(), $value=registers[i]];
local tmp_reg = RegisterValue($last_set=network_time(), $value=registers[i]);
slave_regs[c$modbus$track_address] = tmp_reg;
}
@ -102,7 +102,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
event Modbus::changed_register(c: connection, register: count, old_val: count, new_val: count, delta: interval)
{
local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id,
$register=register, $old_val=old_val, $new_val=new_val, $delta=delta];
local rec = MemmapInfo($ts=network_time(), $uid=c$uid, $id=c$id,
$register=register, $old_val=old_val, $new_val=new_val, $delta=delta);
Log::write(REGISTER_CHANGE_LOG, rec);
}

2
scripts/policy/protocols/mysql/software.zeek
View file

@ -16,5 +16,5 @@ event mysql_server_version(c: connection, ver: string)
if ( ver == "" )
return;
Software::found(c$id, [$unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER));
}

2
scripts/policy/protocols/smb/log-cmds.zeek
View file

@ -29,7 +29,7 @@ const deferred_logging_cmds: set[string] = {
event zeek_init() &priority=5
{
Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy]);
Log::create_stream(SMB::CMD_LOG, Log::Stream($columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy));
}
event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5

4
scripts/policy/protocols/smtp/blocklists.zeek
View file

@ -56,8 +56,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
message = fmt("%s is on an SMTP block list", c$id$orig_h);
}
NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
$identifier=cat(c$id$orig_h)]);
NOTICE(Notice::Info($note=note, $conn=c, $msg=message, $sub=msg,
$identifier=cat(c$id$orig_h)));
}
}
}

14
scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
View file

@ -29,10 +29,10 @@ event log_smtp(rec: Info)
loc$country_code in suspicious_origination_countries) ||
ip in suspicious_origination_networks )
{
NOTICE([$note=Suspicious_Origination,
$msg=fmt("An email originated from %s (%s).",
loc?$country_code ? loc$country_code : "", ip),
$id=rec$id]);
NOTICE(Notice::Info($note=Suspicious_Origination,
$msg=fmt("An email originated from %s (%s).",
loc?$country_code ? loc$country_code : "", ip),
$id=rec$id));
}
}
if ( rec?$path )
@ -44,9 +44,9 @@ event log_smtp(rec: Info)
loc$country_code in suspicious_origination_countries) ||
ip in suspicious_origination_networks )
{
NOTICE([$note=Suspicious_Origination,
$msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip),
$id=rec$id]);
NOTICE(Notice::Info($note=Suspicious_Origination,
$msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip),
$id=rec$id));
}
}
}

2
scripts/policy/protocols/smtp/software.zeek
View file

@ -75,7 +75,7 @@ event log_smtp(rec: Info)
if ( addr_matches_host(rec$id$orig_h,
detect_clients_in_messages_from) )
{
Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]);
Software::found(rec$id, Software::Info($unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type));
}
}
}

61
scripts/policy/protocols/ssh/detect-bruteforcing.zeek
View file

@ -41,41 +41,42 @@ export {
event zeek_init()
{
local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5];
SumStats::create([$name="detect-ssh-bruteforcing",
$epoch=guessing_timeout,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ssh.login.failure"]$sum;
},
$threshold=password_guesses_limit,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ssh.login.failure"];
local sub_msg = fmt("Sampled servers: ");
local samples = r$samples;
for ( i in samples )
{
if ( samples[i]?$str )
sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str);
}
# Generate the notice.
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5);
SumStats::create(SumStats::SumStat(
$name="detect-ssh-bruteforcing",
$epoch=guessing_timeout,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ssh.login.failure"]$sum;
},
$threshold=password_guesses_limit,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ssh.login.failure"];
local sub_msg = fmt("Sampled servers: ");
local samples = r$samples;
for ( i in samples )
{
if ( samples[i]?$str )
sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str);
}
# Generate the notice.
NOTICE(Notice::Info($note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)));
}));
}
event ssh_auth_successful(c: connection, auth_method_none: bool)
{
local id = c$id;
Intel::seen([$host=id$orig_h,
$conn=c,
$where=SSH::SUCCESSFUL_LOGIN]);
Intel::seen(Intel::Seen($host=id$orig_h,
$conn=c,
$where=SSH::SUCCESSFUL_LOGIN));
}
event ssh_auth_failed(c: connection)
@ -86,5 +87,5 @@ event ssh_auth_failed(c: connection)
# be ignored.
if ( ! (id$orig_h in ignore_guessers &&
id$resp_h in ignore_guessers[id$orig_h]) )
SumStats::observe("ssh.login.failure", [$host=id$orig_h], [$str=cat(id$resp_h)]);
SumStats::observe("ssh.login.failure", SumStats::Key($host=id$orig_h), SumStats::Observation($str=cat(id$resp_h)));
}

10
scripts/policy/protocols/ssh/geo-data.zeek
View file

@ -40,11 +40,11 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{
NOTICE([$note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)]);
NOTICE(Notice::Info($note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)));
}
}

10
scripts/policy/protocols/ssh/interesting-hostnames.zeek
View file

@ -33,11 +33,11 @@ function check_ssh_hostname(id: conn_id, uid: string, host: addr)
{
if ( interesting_hostnames in hostname )
{
NOTICE([$note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == id$orig_h ? "client" : "server"),
$sub=hostname, $id=id, $uid=uid]);
NOTICE(Notice::Info($note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == id$orig_h ? "client" : "server"),
$sub=hostname, $id=id, $uid=uid));
}
}
}

4
scripts/policy/protocols/ssh/software.zeek
View file

@ -18,12 +18,12 @@ event ssh_client_version(c: connection, version: string) &priority=4
{
# Get rid of the protocol information when passing to the software framework.
local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]);
Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT));
}
event ssh_server_version(c: connection, version: string) &priority=4
{
# Get rid of the protocol information when passing to the software framework.
local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER));
}

2
scripts/policy/protocols/ssl/decryption.zeek
View file

@ -74,7 +74,7 @@ event zeek_init()
if ( keylog_file != "" )
{
Input::add_table([$name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F]);
Input::add_table(Input::TableDescription($name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F));
Input::remove(tls_decrypt_stream_name);
}
}

30
scripts/policy/protocols/ssl/expiring-certs.zeek
View file

@ -47,23 +47,23 @@ event ssl_established(c: connection) &priority=3
local hash = c$ssl$cert_chain[0]$sha1;
if ( cert$not_valid_before > network_time() )
NOTICE([$note=Certificate_Not_Valid_Yet,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Not_Valid_Yet,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
NOTICE([$note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
}

116
scripts/policy/protocols/ssl/heartbleed.zeek
View file

@ -91,30 +91,30 @@ event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_typ
if ( payload_length > checklength )
{
c$ssl$heartbleed_detected = T;
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
$conn=c,
$identifier=cat(c$uid, length, payload_length)
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
$conn=c,
$identifier=cat(c$uid, length, payload_length)
));
}
else if ( is_client )
{
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$n=length,
$identifier=cat(c$uid, length)
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$n=length,
$identifier=cat(c$uid, length)
));
}
}
if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
{
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success,
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$identifier=c$uid
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack_Success,
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$identifier=c$uid
));
}
}
@ -128,43 +128,43 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
local duration = network_time() - c$start_time;
if ( c$ssl$enc_appdata_packages == 0 )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
));
else if ( duration < 1min )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
));
if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests,
$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
));
if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
));
if ( is_client && length < 19 )
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
));
# Examine request lengths based on used cipher...
local min_length_choice: vector of min_length;
@ -179,12 +179,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
{
if ( length < min_length_choice[i]$min_length )
{
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
));
}
break;
@ -207,12 +207,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
{
if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
{
NOTICE([$note=SSL_Heartbeat_Attack_Success,
$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
c$ssl$last_originator_heartbeat_request_size, length, duration),
$conn=c,
$identifier=c$uid # only throw once per connection
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack_Success,
$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
c$ssl$last_originator_heartbeat_request_size, length, duration),
$conn=c,
$identifier=c$uid # only throw once per connection
));
}
else if ( ! c$ssl?$last_originator_heartbeat_request_size )

2
scripts/policy/protocols/ssl/known-certs.zeek
View file

@ -197,5 +197,5 @@ event ssl_established(c: connection) &priority=3
event zeek_init() &priority=5
{
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs]);
Log::create_stream(Known::CERTS_LOG, Log::Stream($columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs));
}

8
scripts/policy/protocols/ssl/validate-certs.zeek
View file

@ -177,9 +177,9 @@ hook ssl_finishing(c: connection) &priority=20
if ( result$result_string != "ok" )
{
local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
NOTICE([$note=Invalid_Server_Cert, $msg=message,
$sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
$fuid=c$ssl$cert_chain[0]$fuid,
$identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
NOTICE(Notice::Info($note=Invalid_Server_Cert, $msg=message,
$sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
$fuid=c$ssl$cert_chain[0]$fuid,
$identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)));
}
}

6
scripts/policy/protocols/ssl/validate-ocsp.zeek
View file

@ -68,8 +68,8 @@ event ssl_established(c: connection) &priority=3
if( result$result_string != "good" )
{
local message = fmt("OCSP response validation failed with (%s)", result$result_string);
NOTICE([$note=Invalid_Ocsp_Response, $msg=message,
$sub=c$ssl$subject, $conn=c,
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]);
NOTICE(Notice::Info($note=Invalid_Ocsp_Response, $msg=message,
$sub=c$ssl$subject, $conn=c,
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)));
}
}

56
scripts/policy/protocols/ssl/weak-keys.zeek
View file

@ -68,13 +68,13 @@ event ssl_established(c: connection) &priority=3
local key_length = cert$key_length;
if ( key_length < notify_minimal_key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length),
$sub=fmt("Subject: %s", cert$subject),
$file_desc=fmt("Fingerprint: %s", hash)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length),
$sub=fmt("Subject: %s", cert$subject),
$file_desc=fmt("Fingerprint: %s", hash)
));
}
# Check for old SSL versions and weak connection keys
@ -87,19 +87,19 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
{
local minimum_string = version_strings[tls_minimum_version];
local host_string = version_strings[version];
NOTICE([$note=Old_Version,
$msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
NOTICE(Notice::Info($note=Old_Version,
$msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
));
}
if ( unsafe_ciphers_regex in c$ssl$cipher )
NOTICE([$note=Weak_Cipher,
$msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher)
]);
NOTICE(Notice::Info($note=Weak_Cipher,
$msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher)
));
}
event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3
@ -110,11 +110,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
local key_length = |p| * 8; # length of the used prime number in bits
if ( key_length < notify_minimal_key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, key_length)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, key_length)
));
if ( notify_dh_length_shorter_cert_length &&
c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
@ -124,11 +124,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
{
if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
));
}
}