Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

record more timestamp for ocsp measurement

Browse source
This commit is contained in:
Liang Zhu 2015-07-06 17:52:13 -07:00
parent d18a96bc8d
commit e2c30f0005
1 changed files with 39 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

61
scripts/policy/protocols/ssl/ocsp-measurement.bro
View file

@ -15,12 +15,18 @@ export {
## cert id for the OCSP request ## cert id for the OCSP request
cert_id: OCSP::CertId &log &optional; cert_id: OCSP::CertId &log &optional;
## request timestamp
req_ts: time &log &optional;
## request ## request
## NOTE: this is only one request if multiple requests ## NOTE: this is only one request if multiple requests
## are sent together in one HTTP message, they will be ## are sent together in one HTTP message, they will be
## logged separately ## logged separately
req: OCSP::Info_req &log &optional; req: OCSP::Info_req &log &optional;
## response timestamp
resp_ts: time &log &optional;
## response ## response
## NOTE: similar to request, if multiple responses are ## NOTE: similar to request, if multiple responses are
## sent together in one HTTP message, they will be ## sent together in one HTTP message, they will be
@ -30,10 +36,13 @@ export {
## HTTP connection uid ## HTTP connection uid
cuid: string &log; cuid: string &log;
## HTTP connection start time
conn_start_ts: time &log;
## for 1st request, this is the time between first TCP ## for 1st request, this is the time between first TCP
## SYN and resp_ts; for the rest of the requests in ## SYN and resp_ts; for the rest of the requests in
## the same connection, this is the time btween req_ts ## the same connection, this is the time btween req_ts
## and res_ts ## and resp_ts
delay: interval &log &optional; delay: interval &log &optional;
## the size of HTTP request body ## the size of HTTP request body
@ -57,8 +66,10 @@ export {
## OCSP uri, this is uri in HTTP request ## OCSP uri, this is uri in HTTP request
uri: string &log; uri: string &log;
## number of ocsp requests in this connection ## number of HTTP request containing ocsp requests in
## including this one ## this connection including this one; this may be
## different from number of OCSP requests since one
## HTTP request may contain several OCSP requests
num_ocsp: count &log &optional; num_ocsp: count &log &optional;
## the time when the corresponding certificate is ## the time when the corresponding certificate is
@ -222,36 +233,42 @@ function fill_ocsp_info(c: connection)
$issuerKeyHash = single_resp$issuerKeyHash, $issuerKeyHash = single_resp$issuerKeyHash,
$serialNumber = single_resp$serialNumber]; $serialNumber = single_resp$serialNumber];
local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid, local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts,
$responseStatus = resp$responseStatus, $id = http$ocsp_response_fuid,
$responseType = resp$responseType, $responseStatus = resp$responseStatus,
$version = resp$version, $responseType = resp$responseType,
$responderID = resp$responderID, $version = resp$version,
$producedAt = resp$producedAt, $responderID = resp$responderID,
$certId = cert_id, $producedAt = resp$producedAt,
$certStatus = single_resp$certStatus, $certId = cert_id,
$thisUpdate = single_resp$thisUpdate]; $certStatus = single_resp$certStatus,
$thisUpdate = single_resp$thisUpdate];
if (single_resp?$nextUpdate) if (single_resp?$nextUpdate)
resp_rec$nextUpdate = single_resp$nextUpdate; resp_rec$nextUpdate = single_resp$nextUpdate;
local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id, local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id,
$cuid = http$uid, $host = http$host, $cuid = http$uid,
$uri = http$uri, $resp = resp_rec, $conn_start_ts = c$start_time,
$req_size = http$request_body_len, $host = http$host,
$req_hdr_size = http$request_header_len, $uri = http$uri,
$resp_size = http$response_body_len, $resp_ts = resp_rec$ts,
$resp = resp_rec,
$req_size = http$request_body_len,
$req_hdr_size = http$request_header_len,
$resp_size = http$response_body_len,
$resp_hdr_size = http$response_header_len, $resp_hdr_size = http$response_header_len,
$http_code = http$status_code]; $http_code = http$status_code];
if (cert_id in pending_requests) if (cert_id in pending_requests)
{ {
# find a match # find a match
local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]); local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]);
ocsp_info$req = req_rec; ocsp_info$req = req_rec;
ocsp_info$req_ts = req_rec$ts;
ocsp_info$num_ocsp = c$num_ocsp; ocsp_info$num_ocsp = c$num_ocsp;
if (c$num_ocsp == 0) if (c$num_ocsp == 1)
ocsp_info$delay = ocsp_info$req$ts - c$start_time; ocsp_info$delay = ocsp_info$resp$ts - c$start_time;
else else
ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts; ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;