record more timestamp for ocsp measurement

2025-10-05 16:18:19 +00:00 · 2015-07-06 17:52:13 -07:00 · 2015-07-06 17:52:13 -07:00 · e2c30f0005
commit e2c30f0005
parent d18a96bc8d
1 changed files with 39 additions and 22 deletions
--- a/scripts/policy/protocols/ssl/ocsp-measurement.bro
+++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro
@ -15,12 +15,18 @@ export {
 		## cert id for the OCSP request
 		cert_id:        OCSP::CertId      &log  &optional;

+		## request timestamp
+		req_ts:         time              &log  &optional;
+
 		## request
 		## NOTE: this is only one request if multiple requests
 		## are sent together in one HTTP message, they will be
 		## logged separately
 		req:            OCSP::Info_req    &log  &optional;

+		## response timestamp
+		resp_ts:        time              &log  &optional;
+
 		## response
 		## NOTE: similar to request, if multiple responses are
 		## sent together in one HTTP message, they will be
@ -30,10 +36,13 @@ export {
 		## HTTP connection uid
 		cuid:            string     &log;

+		## HTTP connection start time
+		conn_start_ts:   time       &log;
+
 		## for 1st request, this is the time between first TCP
 		## SYN and resp_ts; for the rest of the requests in
 		## the same connection, this is the time btween req_ts
-		## and res_ts
+		## and resp_ts
 		delay:           interval   &log       &optional;

 		## the size of HTTP request body
@ -57,8 +66,10 @@ export {
 		## OCSP uri, this is uri in HTTP request
 		uri:             string     &log;

-		## number of ocsp requests in this connection
-		## including this one
+		## number of HTTP request containing ocsp requests in
+		## this connection including this one; this may be
+		## different from number of OCSP requests since one
+		## HTTP request may contain several OCSP requests
 		num_ocsp:        count      &log       &optional;

 		## the time when the corresponding certificate is
@ -222,7 +233,8 @@ function fill_ocsp_info(c: connection)
 			                               $issuerKeyHash  = single_resp$issuerKeyHash,
 			                               $serialNumber   = single_resp$serialNumber];

-			local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid,
+			local resp_rec: OCSP::Info_resp = [$ts             = http$ocsp_response_ts,
+						           $id             = http$ocsp_response_fuid,
 							   $responseStatus = resp$responseStatus,
 							   $responseType   = resp$responseType,
 							   $version        = resp$version,
@ -236,8 +248,12 @@ function fill_ocsp_info(c: connection)
 				resp_rec$nextUpdate = single_resp$nextUpdate;

 			local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id       = cert_id,
-			                                           $cuid = http$uid, $host = http$host,
-				                                   $uri = http$uri, $resp = resp_rec,
+			                                           $cuid          = http$uid,
+								   $conn_start_ts = c$start_time,
+								   $host          = http$host,
+				                                   $uri           = http$uri,
+								   $resp_ts       = resp_rec$ts,
+								   $resp          = resp_rec,
 				                                   $req_size      = http$request_body_len,
 								   $req_hdr_size  = http$request_header_len,
 								   $resp_size     = http$response_body_len,
@ -248,10 +264,11 @@ function fill_ocsp_info(c: connection)
 				# find a match
 				local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]);
 				ocsp_info$req      = req_rec;
+				ocsp_info$req_ts   = req_rec$ts;
 				ocsp_info$num_ocsp = c$num_ocsp;
 				
-				if (c$num_ocsp == 0)
-					ocsp_info$delay = ocsp_info$req$ts - c$start_time;
+				if (c$num_ocsp == 1)
+					ocsp_info$delay = ocsp_info$resp$ts - c$start_time;
 				else
 					ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;