Add policy script suppressing certificate events

The added disable-certificate-events-known-certs.zeek disables repeated X509 events in SSL connections, given that the connection terminates at the same server and used the samt SNI as a previously seen connection with the same certificate. For people that see significant amounts of TLS 1.2 traffic, this could reduce the amount of raised events significantly - especially when a lot of connections are repeat connections to the same servers. The practical impact of not raising these events is actually very little - unless a script directly interacts with the x509 events, everything works as before - the x509 variables in the connection records are still being set (from the cache).
2025-10-12 11:38:20 +00:00 · 2021-06-29 11:10:09 +01:00 · 2021-06-29 11:10:09 +01:00 · e58b03a43f
commit e58b03a43f
parent e310734d7b
15 changed files with 357 additions and 2 deletions
--- a/scripts/base/files/x509/main.zeek
+++ b/scripts/base/files/x509/main.zeek
@ -136,6 +136,9 @@ event zeek_init() &priority=5
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
+
+	# Please note that SHA256 caching is required to be enabled for the certificate event
+	# caching that is set up in certificate-event-cache.zeek to work.
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA256, "application/pkix-cert");