diff --git a/scripts/base/files/x509/main.zeek b/scripts/base/files/x509/main.zeek index e1f4206d69..c8f0a0f978 100644 --- a/scripts/base/files/x509/main.zeek +++ b/scripts/base/files/x509/main.zeek @@ -136,6 +136,9 @@ event zeek_init() &priority=5 Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert"); + + # Please note that SHA256 caching is required to be enabled for the certificate event + # caching that is set up in certificate-event-cache.zeek to work. Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/pkix-cert"); diff --git a/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek b/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek new file mode 100644 index 0000000000..2f293fd658 --- /dev/null +++ b/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek @@ -0,0 +1,84 @@ +##! This script disables repeat certificate events for hosts for hosts for which the same +##! certificate was seen in the recent past; +##! +##! This script specifically plugs into the event caching mechanism that is set up by the +##! base X509 script certificate-event-cache.zeek. It adds another layer of tracking that +##! checks if the same certificate was seen for the server IP address before, when the same +##! SNI was used to connect. If the certificate is in the event cache and all of these conditions +##! apply, then no certificate related events will be raised. +##! +##! Please note that while this optimization can lead to a considerable reduction of load in some +##! settings, it also means that certain detection scripts that rely on the certificate events being +##! raised do no longer work - since the events will not be raised for all connections. +##! +##! Currently this script only works for X509 certificates that are sent via SSL/TLS connections. +##! +##! If you use any script that requires certificate events for each single connection, +##! you should not load this script. + +@load base/protocols/ssl +@load base/files/x509 + +module DisableX509Events; + +## Let's be a bit more generous with the number of certificates that we allow to be put into +## the cache. +redef X509::certificate_cache_max_entries = 100000; + +type CacheIndex: record { + ## IP address of the server the certificate was seen on. + ip: addr; + ## SNI the client sent in the connection + sni: string &optional; + ## sha256 of the certificate + sha256: string; +}; + +redef record SSL::Info += { + ## Set to true to force certificate events to always be raised for this connection. + always_raise_x509_events: bool &default=F; +}; + +redef record X509::Info += { + ## Set to true to force certificate events to always be raised for this certificate. + always_raise_x509_events: bool &default=F; +}; + +global certificate_replay_tracking: set[CacheIndex] &read_expire=X509::certificate_cache_minimum_eviction_interval; + +hook X509::x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string) &priority=5 + { + # Bail out if x509 is already set - or if the file tells us that we should always raise events. + if ( f$info?$x509 || e$always_raise_x509_events ) + return; + + local raise_events = F; + + # not sure how that could happen - but let's be safe... + if ( |f$conns| == 0 ) + return; + + for ( c in f$conns ) + { + if ( ! f$conns[c]?$ssl ) + return; + + local test = CacheIndex($ip=f$conns[c]$id$resp_h, $sha256=sha256); + if ( f$conns[c]$ssl?$server_name ) + test$sni = f$conns[c]$ssl$server_name; + + if ( test !in certificate_replay_tracking || f$conns[c]$ssl$always_raise_x509_events ) + { + raise_events = T; + add certificate_replay_tracking[test]; + } + } + + if ( ! raise_events ) + { + # We don't have to raise the events. :). + # Instead we just already set f$x509. That makes the data available to scripts that might need them - and the x509_certificate_cache_replayh + # hook in certificate-event-cache will just abort. + f$info$x509 = e; + } + } diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index fc36807d57..610712716f 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -41,6 +41,7 @@ @load frameworks/notice/extend-email/hostnames.zeek @load files/unified2/__load__.zeek @load files/unified2/main.zeek +@load files/x509/disable-certificate-events-known-certs.zeek @load files/x509/log-ocsp.zeek @load frameworks/packet-filter/shunt.zeek @load frameworks/software/version-changes.zeek diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index 3f3e397577..c008d14a92 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -2,8 +2,8 @@ ### NOTE: This file has been sorted with diff-sort. warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:10 "Remove in v5.1. Use log-certs-base64.zeek instead." warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead." -warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default") -warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:44 ("Remove in v5.1. OCSP logging is now disabled by default") +warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:45 ("Remove in v5.1. OCSP logging is now disabled by default") +warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:45 ("Remove in v5.1. OCSP logging is now disabled by default") warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now disabled by default") warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:4 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).") diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/.stdout b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/.stdout new file mode 100644 index 0000000000..31621b0464 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/.stdout @@ -0,0 +1,53 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/ssl.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/ssl.log new file mode 100644 index 0000000000..e913b2025a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/ssl.log @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fps client_cert_chain_fps subject issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 167.71.55.249 37680 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 167.71.55.249 37682 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 167.71.55.249 37684 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 167.71.55.249 37686 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 167.71.55.249 37688 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 167.71.55.249 37690 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 167.71.55.249 37692 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 167.71.55.249 37694 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/x509.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/x509.log new file mode 100644 index 0000000000..8fbaa7b2a0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-2/x509.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open XXXX-XX-XX-XX-XX-XX +#fields ts fp certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool +XXXXXXXXXX.XXXXXX 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47 3 FD62E14283CA9DF30A00000000DCA0BE CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - T F +XXXXXXXXXX.XXXXXX 23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522 3 0203BC53596B34C718F5015066 CN=GTS CA 1C3,O=Google Trust Services LLC,C=US CN=GTS Root R1,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F +XXXXXXXXXX.XXXXXX 3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 3 77BD0D6CDB36F91AEA210FC4F058D30D CN=GTS Root R1,O=Google Trust Services LLC,C=US CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 4096 65537 - - - - - T - F F +XXXXXXXXXX.XXXXXX c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d 3 9AFA430EE8EEE2FF0A00000000DCA0C8 CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX id-ecPublicKey sha256WithRSAEncryption ecdsa 256 - prime256v1 www.google.com - - - F - T F +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/.stdout b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/.stdout new file mode 100644 index 0000000000..c055e7611f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/.stdout @@ -0,0 +1,39 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +x509_certificate, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +Hook for, CN=www.google.com +Hook for, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +Hook for, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/ssl.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/ssl.log new file mode 100644 index 0000000000..e913b2025a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/ssl.log @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fps client_cert_chain_fps subject issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 167.71.55.249 37680 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 167.71.55.249 37682 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 167.71.55.249 37684 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 167.71.55.249 37686 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 167.71.55.249 37688 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 167.71.55.249 37690 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 167.71.55.249 37692 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 167.71.55.249 37694 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/x509.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/x509.log new file mode 100644 index 0000000000..8fbaa7b2a0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs-3/x509.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open XXXX-XX-XX-XX-XX-XX +#fields ts fp certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool +XXXXXXXXXX.XXXXXX 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47 3 FD62E14283CA9DF30A00000000DCA0BE CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - T F +XXXXXXXXXX.XXXXXX 23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522 3 0203BC53596B34C718F5015066 CN=GTS CA 1C3,O=Google Trust Services LLC,C=US CN=GTS Root R1,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F +XXXXXXXXXX.XXXXXX 3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 3 77BD0D6CDB36F91AEA210FC4F058D30D CN=GTS Root R1,O=Google Trust Services LLC,C=US CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 4096 65537 - - - - - T - F F +XXXXXXXXXX.XXXXXX c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d 3 9AFA430EE8EEE2FF0A00000000DCA0C8 CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX id-ecPublicKey sha256WithRSAEncryption ecdsa 256 - prime256v1 www.google.com - - - F - T F +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/.stdout b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/.stdout new file mode 100644 index 0000000000..2b98275395 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/.stdout @@ -0,0 +1,33 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com +x509_certificate, CN=www.google.com +x509_certificate, CN=GTS CA 1C3,O=Google Trust Services LLC,C=US +x509_certificate, CN=GTS Root R1,O=Google Trust Services LLC,C=US +finishing, CN=www.google.com diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/ssl.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/ssl.log new file mode 100644 index 0000000000..e913b2025a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/ssl.log @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fps client_cert_chain_fps subject issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 167.71.55.249 37680 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 167.71.55.249 37682 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 167.71.55.249 37684 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 167.71.55.249 37686 142.250.179.196 443 TLSv12 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - F - - T 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 167.71.55.249 37688 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 167.71.55.249 37690 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 167.71.55.249 37692 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 167.71.55.249 37694 142.250.179.196 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - www.google.com F - - T c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d,23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522,3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 (empty) CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US ok +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/x509.log b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/x509.log new file mode 100644 index 0000000000..8fbaa7b2a0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.disable-certificate-events-known-certs/x509.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open XXXX-XX-XX-XX-XX-XX +#fields ts fp certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool +XXXXXXXXXX.XXXXXX 7c4cb8ef8d84a20171b3ee521b2be4d973b5fcf9cfbd1786e5581c7fed14da47 3 FD62E14283CA9DF30A00000000DCA0BE CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - www.google.com - - - F - T F +XXXXXXXXXX.XXXXXX 23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522 3 0203BC53596B34C718F5015066 CN=GTS CA 1C3,O=Google Trust Services LLC,C=US CN=GTS Root R1,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F +XXXXXXXXXX.XXXXXX 3ee0278df71fa3c125c4cd487f01d774694e6fc57e0cd94c24efd769133918e5 3 77BD0D6CDB36F91AEA210FC4F058D30D CN=GTS Root R1,O=Google Trust Services LLC,C=US CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 4096 65537 - - - - - T - F F +XXXXXXXXXX.XXXXXX c4d4c1fde956a63916e6886df676570da046396d31ee1f8aad5d59c8865d274d 3 9AFA430EE8EEE2FF0A00000000DCA0C8 CN=www.google.com CN=GTS CA 1C3,O=Google Trust Services LLC,C=US XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX id-ecPublicKey sha256WithRSAEncryption ecdsa 256 - prime256v1 www.google.com - - - F - T F +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tls/google-cert-repeat.pcap b/testing/btest/Traces/tls/google-cert-repeat.pcap new file mode 100644 index 0000000000..92027db13b Binary files /dev/null and b/testing/btest/Traces/tls/google-cert-repeat.pcap differ diff --git a/testing/btest/scripts/base/files/x509/disable-certificate-events-known-certs.zeek b/testing/btest/scripts/base/files/x509/disable-certificate-events-known-certs.zeek new file mode 100644 index 0000000000..a359a3d286 --- /dev/null +++ b/testing/btest/scripts/base/files/x509/disable-certificate-events-known-certs.zeek @@ -0,0 +1,46 @@ +# @TEST-EXEC: zeek -b -C -r $TRACES/tls/google-cert-repeat.pcap common.zeek %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log +# @TEST-EXEC: btest-diff .stdout + +@TEST-START-FILE common.zeek + +@load base/protocols/ssl +@load protocols/ssl/validate-certs.zeek + +event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) + { + print "x509_certificate", cert$subject; + } + +hook SSL::ssl_finishing(c: connection) + { + print "finishing", c$ssl$cert_chain[0]$x509$certificate$subject; + } + +hook X509::x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string) &priority=5 + { + print "Hook for", e$certificate$subject; + } + +@TEST-END-FILE + +# First: Plain, no changes - certificate event caching won't even engage. + +# @TEST-START-NEXT + +# Second - engage certificate caching. +# Log files and events are unchanged - but the replay hook engages + +redef X509::caching_required_encounters = 1; +redef X509::certificate_cache_minimum_eviction_interval = 11min; + +# @TEST-START-NEXT + +# Third - load policy script to not raise events +# Log files are unchanged; events are not raised from the third time. + +redef X509::caching_required_encounters = 1; +redef X509::certificate_cache_minimum_eviction_interval = 11min; + +@load policy/files/x509/disable-certificate-events-known-certs