Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/ssl/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ssl/__load__.zeek
================================
:Imports: :doc:`base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>`, :doc:`base/protocols/ssl/ct-list.zeek </scripts/base/protocols/ssl/ct-list.zeek>`, :doc:`base/protocols/ssl/files.zeek </scripts/base/protocols/ssl/files.zeek>`, :doc:`base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>`, :doc:`base/protocols/ssl/mozilla-ca-list.zeek </scripts/base/protocols/ssl/mozilla-ca-list.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

4884
doc/scripts/base/protocols/ssl/consts.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

22
doc/scripts/base/protocols/ssl/ct-list.zeek.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/ssl/ct-list.zeek
===============================
.. zeek:namespace:: SSL
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
=============================================================== =
:zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef`
=============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

118
doc/scripts/base/protocols/ssl/files.zeek.rst Normal file
View file

@ -0,0 +1,118 @@
:tocdepth: 3
base/protocols/ssl/files.zeek
=============================
.. zeek:namespace:: SSL
:Namespace: SSL
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinable Options
###################
==================================================================================================== ==============================================================
:zeek:id:`SSL::log_include_client_certificate_subject_issuer`: :zeek:type:`bool` :zeek:attr:`&redef` Set this to true to include the client certificate subject
and issuer in the SSL logfile.
:zeek:id:`SSL::log_include_server_certificate_subject_issuer`: :zeek:type:`bool` :zeek:attr:`&redef` Set this to true to include the server certificate subject and
issuer from the SSL log file.
==================================================================================================== ==============================================================
Redefinitions
#############
=========================================== ============================================================================================================
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
cert_chain: :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
Chain of certificates offered by the server to validate its
complete signing chain.
cert_chain_fps: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
An ordered vector of all certificate fingerprints for the
certificates offered by the server.
client_cert_chain: :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
Chain of certificates offered by the client to validate its
complete signing chain.
client_cert_chain_fps: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
An ordered vector of all certificate fingerprints for the
certificates offered by the client.
subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of the X.509 certificate offered by the server.
issuer: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Issuer of the signer of the X.509 certificate offered by the
server.
client_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of the X.509 certificate offered by the client.
client_issuer: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of the signer of the X.509 certificate offered by the
client.
sni_matches_cert: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Set to true if the hostname sent in the SNI matches the certificate.
server_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Current number of certificates seen from either side.
client_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
=========================================== ============================================================================================================
Functions
#########
====================================================== =====================================
:zeek:id:`SSL::describe_file`: :zeek:type:`function` Default file describer for SSL.
:zeek:id:`SSL::get_file_handle`: :zeek:type:`function` Default file handle provider for SSL.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: SSL::log_include_client_certificate_subject_issuer
:source-code: base/protocols/ssl/files.zeek 17 17
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Set this to true to include the client certificate subject
and issuer in the SSL logfile. This information is rarely present
and probably only interesting in very specific circumstances
.. zeek:id:: SSL::log_include_server_certificate_subject_issuer
:source-code: base/protocols/ssl/files.zeek 12 12
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Set this to true to include the server certificate subject and
issuer from the SSL log file. This information is still available
in x509.log.
Functions
#########
.. zeek:id:: SSL::describe_file
:source-code: base/protocols/ssl/files.zeek 74 95
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Default file describer for SSL.
.. zeek:id:: SSL::get_file_handle
:source-code: base/protocols/ssl/files.zeek 68 72
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for SSL.

27
doc/scripts/base/protocols/ssl/index.rst Normal file
View file

@ -0,0 +1,27 @@
:orphan:
Package: base/protocols/ssl
===========================
Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
:doc:`/scripts/base/protocols/ssl/__load__.zeek`
:doc:`/scripts/base/protocols/ssl/consts.zeek`
:doc:`/scripts/base/protocols/ssl/main.zeek`
Base SSL analysis script. This script logs information about the SSL/TLS
handshaking and encryption establishment process.
:doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
:doc:`/scripts/base/protocols/ssl/ct-list.zeek`
:doc:`/scripts/base/protocols/ssl/files.zeek`

756
doc/scripts/base/protocols/ssl/main.zeek.rst Normal file
View file

@ -0,0 +1,756 @@
:tocdepth: 3
base/protocols/ssl/main.zeek
============================
.. zeek:namespace:: SSL
Base SSL analysis script. This script logs information about the SSL/TLS
handshaking and encryption establishment process.
:Namespace: SSL
:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================= ===============================================================
:zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef` The Certificate Transparency log bundle.
:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, detach the SSL analyzer from the connection to prevent
continuing to process encrypted traffic.
:zeek:id:`SSL::max_ssl_history_length`: :zeek:type:`count` :zeek:attr:`&redef` Maximum length of the ssl_history field to prevent unbounded
growth when the parser is running into unexpected situations.
======================================================================================= ===============================================================
Redefinable Options
###################
================================================================== ===========================
:zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef` The default root CA bundle.
================================================================== ===========================
Types
#####
============================================= ============================================================
:zeek:type:`SSL::CTInfo`: :zeek:type:`record` The record type which contains the field for the Certificate
Transparency log bundle.
:zeek:type:`SSL::Info`: :zeek:type:`record` The record type which contains the fields of the SSL log.
============================================= ============================================================
Redefinitions
#############
==================================================================== =============================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`SSL::LOG`
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
delay_tokens: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ssl: :zeek:type:`SSL::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =============================================================================
Events
######
=========================================== =================================================
:zeek:id:`SSL::log_ssl`: :zeek:type:`event` Event that can be handled to access the SSL
record as it is sent on to the logging framework.
=========================================== =================================================
Hooks
#####
============================================================ ====================================================================
:zeek:id:`SSL::finalize_ssl`: :zeek:type:`Conn::RemovalHook` SSL finalization hook.
:zeek:id:`SSL::log_policy`: :zeek:type:`Log::PolicyHook`
:zeek:id:`SSL::ssl_finishing`: :zeek:type:`hook` Hook that can be used to perform actions right before the log record
is written.
============================================================ ====================================================================
Functions
#########
================================================== ====================================================================
:zeek:id:`SSL::delay_log`: :zeek:type:`function` Delays an SSL record for a specific token: the record will not be
logged as long as the token exists or until 15 seconds elapses.
:zeek:id:`SSL::undelay_log`: :zeek:type:`function` Undelays an SSL record for a previously inserted token, allowing the
record to be logged.
================================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSL::ct_logs
:source-code: base/protocols/ssl/main.zeek 139 139
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`SSL::CTInfo`
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
:Redefinition: from :doc:`/scripts/base/protocols/ssl/ct-list.zeek`
<< Value omitted due to ``@docs_omit_value`` annotation >>
The Certificate Transparency log bundle. By default, the ct-list.zeek
script sets this to the current list of known logs. Entries
are indexed by (binary) log-id.
.. zeek:id:: SSL::disable_analyzer_after_detection
:source-code: base/protocols/ssl/main.zeek 144 144
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
:Redefinition: from :doc:`/scripts/policy/protocols/ssl/decryption.zeek`
``=``::
F
:Redefinition: from :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek`
``=``::
F
If true, detach the SSL analyzer from the connection to prevent
continuing to process encrypted traffic. Helps with performance
(especially with large file transfers).
.. zeek:id:: SSL::max_ssl_history_length
:source-code: base/protocols/ssl/main.zeek 148 148
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``100``
Maximum length of the ssl_history field to prevent unbounded
growth when the parser is running into unexpected situations.
Redefinable Options
###################
.. zeek:id:: SSL::root_certs
:source-code: base/protocols/ssl/main.zeek 119 119
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
:Redefinition: from :doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
<< Value omitted due to ``@docs_omit_value`` annotation >>
The default root CA bundle. By default, the mozilla-ca-list.zeek
script sets this to Mozilla's root CA list.
Types
#####
.. zeek:type:: SSL::CTInfo
:source-code: base/protocols/ssl/main.zeek 123 134
:Type: :zeek:type:`record`
.. zeek:field:: description :zeek:type:`string`
Description of the Log
.. zeek:field:: operator :zeek:type:`string`
Operator of the Log
.. zeek:field:: key :zeek:type:`string`
Public key of the Log.
.. zeek:field:: maximum_merge_delay :zeek:type:`count`
Maximum merge delay of the Log
.. zeek:field:: url :zeek:type:`string`
URL of the Log
The record type which contains the field for the Certificate
Transparency log bundle.
.. zeek:type:: SSL::Info
:source-code: base/protocols/ssl/main.zeek 16 115
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time when the SSL connection was first detected.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: version_num :zeek:type:`count` :zeek:attr:`&optional`
Numeric SSL/TLS version that the server chose.
.. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
SSL/TLS version that the server chose.
.. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
SSL/TLS cipher suite that the server chose.
.. zeek:field:: curve :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Elliptic curve the server chose when using ECDH/ECDHE.
.. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the Server Name Indicator SSL/TLS extension. It
indicates the server name that the client was requesting.
.. zeek:field:: session_id :zeek:type:`string` :zeek:attr:`&optional`
Session ID offered by the client for session resumption.
Not used for logging.
.. zeek:field:: resumed :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate if the session was resumed reusing
the key material exchanged in an earlier connection.
.. zeek:field:: client_ticket_empty_session_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate if we saw a non-empty session ticket being
sent by the client using an empty session ID. This value
is used to determine if a session is being resumed. It's
not logged.
.. zeek:field:: client_key_exchange_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate if we saw a client key exchange message sent
by the client. This value is used to determine if a session
is being resumed. It's not logged.
.. zeek:field:: client_psk_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Track if the client sent a pre-shared-key extension.
Used to determine if a TLS 1.3 session is being resumed.
Not logged.
.. zeek:field:: last_alert :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Last alert that was seen during the connection.
.. zeek:field:: next_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Next protocol the server chose using the application layer
next protocol extension, if present.
.. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
The analyzer ID used for the analyzer instance attached
to each connection. It is not used for logging since it's a
meaningless arbitrary number.
.. zeek:field:: established :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate if this ssl session has been established
successfully, or if it was aborted during the handshake.
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate if this record already has been logged, to
prevent duplicates.
.. zeek:field:: hrr_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag to indicate that we have seen a Hello Retry request message.
Used internally for ssl_history logging
.. zeek:field:: ssl_history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
SSL history showing which types of packets we received in which order.
Letters have the following meaning with client-sent letters being capitalized:
A direction flip occurs when the client hello packet is not sent from the originator
of a connection. This can, e.g., occur when DTLS is used in a connection that was
set up using STUN.
====== ====================================================
Letter Meaning
====== ====================================================
^ direction flipped
H hello_request
C client_hello
S server_hello
V hello_verify_request
T NewSessionTicket
X certificate
K server_key_exchange
R certificate_request
N server_hello_done
Y certificate_verify
G client_key_exchange
F finished
W certificate_url
U certificate_status
A supplemental_data
Z unassigned_handshake_type
I change_cipher_spec
B heartbeat
D application_data
E end_of_early_data
O encrypted_extensions
P key_update
M message_hash
J hello_retry_request
L alert
Q unknown_content_type
====== ====================================================
.. zeek:field:: delay_tokens :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
.. zeek:field:: cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Chain of certificates offered by the server to validate its
complete signing chain.
.. zeek:field:: cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
An ordered vector of all certificate fingerprints for the
certificates offered by the server.
.. zeek:field:: client_cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Chain of certificates offered by the client to validate its
complete signing chain.
.. zeek:field:: client_cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
An ordered vector of all certificate fingerprints for the
certificates offered by the client.
.. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Subject of the X.509 certificate offered by the server.
.. zeek:field:: issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Issuer of the signer of the X.509 certificate offered by the
server.
.. zeek:field:: client_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Subject of the X.509 certificate offered by the client.
.. zeek:field:: client_issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Subject of the signer of the X.509 certificate offered by the
client.
.. zeek:field:: sni_matches_cert :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Set to true if the hostname sent in the SNI matches the certificate.
Set to false if they do not match. Unset if the client did not send
an SNI.
.. zeek:field:: server_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
Current number of certificates seen from either side. Used
to create file handles.
.. zeek:field:: client_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
.. zeek:field:: always_raise_x509_events :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek` is loaded)
Set to true to force certificate events to always be raised for this connection.
.. zeek:field:: requested_client_certificate_authorities :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/policy/protocols/ssl/certificate-request-info.zeek` is loaded)
List of client certificate CAs accepted by the server
.. zeek:field:: client_random :zeek:type:`string` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/decryption.zeek` is loaded)
.. zeek:field:: last_originator_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: last_responder_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: originator_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: responder_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: heartbleed_detected :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: enc_appdata_packages :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: enc_appdata_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
.. zeek:field:: server_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Numeric version of the server in the server hello
.. zeek:field:: client_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Numeric version of the client in the client hello
.. zeek:field:: client_ciphers :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Ciphers that were offered by the client for the connection
.. zeek:field:: ssl_client_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
SSL Client extensions
.. zeek:field:: ssl_server_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
SSL server extensions
.. zeek:field:: ticket_lifetime_hint :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Suggested ticket lifetime sent in the session ticket handshake
by the server.
.. zeek:field:: dh_param_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
The diffie helman parameter size, when using DH.
.. zeek:field:: point_formats :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
supported elliptic curve point formats
.. zeek:field:: client_curves :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
The curves supported by the client.
.. zeek:field:: orig_alpn :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Application layer protocol negotiation extension sent by the client.
.. zeek:field:: client_supported_versions :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
TLS 1.3 supported versions
.. zeek:field:: server_supported_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
TLS 1.3 supported versions
.. zeek:field:: psk_key_exchange_modes :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
TLS 1.3 Pre-shared key exchange modes
.. zeek:field:: client_key_share_groups :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Key share groups from client hello
.. zeek:field:: server_key_share_group :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Selected key share group from server hello
.. zeek:field:: client_comp_methods :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Client supported compression methods
.. zeek:field:: comp_method :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Server chosen compression method
.. zeek:field:: sigalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Client supported signature algorithms
.. zeek:field:: hashalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
Client supported hash algorithms
.. zeek:field:: validation_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
Result of certificate validation for this connection.
.. zeek:field:: validation_code :zeek:type:`int` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
Result of certificate validation for this connection, given
as OpenSSL validation code.
.. zeek:field:: valid_chain :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
Ordered chain of validated certificate, if validation succeeded.
.. zeek:field:: ocsp_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
Result of ocsp validation for this connection.
.. zeek:field:: ocsp_response :zeek:type:`string` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
ocsp response as string.
.. zeek:field:: valid_scts :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
Number of valid SCTs that were encountered in the connection.
.. zeek:field:: invalid_scts :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
Number of SCTs that could not be validated that were encountered in the connection.
.. zeek:field:: valid_ct_logs :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
Number of different Logs for which valid SCTs were encountered in the connection.
.. zeek:field:: valid_ct_operators :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
Number of different Log operators of which valid SCTs were encountered in the connection.
.. zeek:field:: valid_ct_operators_list :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
List of operators for which valid SCTs were encountered in the connection.
.. zeek:field:: ct_proofs :zeek:type:`vector` of :zeek:type:`SSL::SctInfo` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
Information about all SCTs that were encountered in the connection.
The record type which contains the fields of the SSL log.
Events
######
.. zeek:id:: SSL::log_ssl
:source-code: base/protocols/ssl/main.zeek 160 160
:Type: :zeek:type:`event` (rec: :zeek:type:`SSL::Info`)
Event that can be handled to access the SSL
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: SSL::finalize_ssl
:source-code: base/protocols/ssl/main.zeek 517 527
:Type: :zeek:type:`Conn::RemovalHook`
SSL finalization hook. Remaining SSL info may get logged when it's called.
The :zeek:see:`SSL::ssl_finishing` hook may either
be called before this finalization hook for established SSL connections
or during this finalization hook for SSL connections may have info still
left to log.
.. zeek:id:: SSL::log_policy
:source-code: base/protocols/ssl/main.zeek 13 13
:Type: :zeek:type:`Log::PolicyHook`
.. zeek:id:: SSL::ssl_finishing
:source-code: base/protocols/ssl/main.zeek 164 164
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
Hook that can be used to perform actions right before the log record
is written.
Functions
#########
.. zeek:id:: SSL::delay_log
:source-code: base/protocols/ssl/main.zeek 227 232
:Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
Delays an SSL record for a specific token: the record will not be
logged as long as the token exists or until 15 seconds elapses.
.. zeek:id:: SSL::undelay_log
:source-code: base/protocols/ssl/main.zeek 234 238
:Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
Undelays an SSL record for a previously inserted token, allowing the
record to be logged.

22
doc/scripts/base/protocols/ssl/mozilla-ca-list.zeek.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
base/protocols/ssl/mozilla-ca-list.zeek
=======================================
.. zeek:namespace:: SSL
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
================================================================== =
:zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef`
================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~