Very basic file-analyzer for x509 certificates. Mostly ripped from

the ssl-analyzer and the topic/bernhard/x509 branch. Simply prints information about the encountered certificates (I have not yet my mind up, what I will log...). Next step: extensions...
2025-10-17 05:58:20 +00:00 · 2013-09-16 09:14:36 -07:00 · 2013-09-16 09:14:36 -07:00 · e5a589dbfe
commit e5a589dbfe
parent 33a7e96268
14 changed files with 449 additions and 1 deletions
--- a/scripts/base/files/x509/load.bro
+++ b/scripts/base/files/x509/load.bro
@ -0,0 +1 @@
+@load ./main
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@ -0,0 +1,14 @@
+
+@load base/frameworks/files
+
+module X509;
+
+export {
+	redef enum Log::ID += { LOG };
+}
+
+event x509_cert(f: fa_file, cert: X509::Certificate)
+	{
+	print cert;
+	}
+
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2721,6 +2721,26 @@ export {
 	};
 }

+module X509;
+export {
+	type X509::Certificate: record {
+		version: count;	##< Version number.
+		serial: string;	##< Serial number.
+		subject: string;	##< Subject.
+		issuer: string;	##< Issuer.
+		not_valid_before: time;	##< Timestamp before when certificate is not valid.
+		not_valid_after: time;	##< Timestamp after when certificate is not valid.
+		key_alg: string; ##< name of the key algorithm
+		sig_alg: string; ##< name of the signature algorithm
+		key_type: string &optional; ##< key-type, if key parseable by openssl (either rsa, dsa or ec)
+		key_length: count &optional; ##< key-length in bits  
+		exponent: string &optional; ##< exponent, if RSA-certificate
+		curve: string &optional; ##< curve, if EC-certificate
+		ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
+		path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
+	};
+}
+		
 module SOCKS;
 export {
 	## This record is for a SOCKS client or server to provide either a
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -57,6 +57,6 @@
@load base/files/hash
@load base/files/extract
@load base/files/unified2
-
+@load base/files/x509

@load base/misc/find-checksum-offloading
--- a/scripts/base/protocols/ssl/load.bro
+++ b/scripts/base/protocols/ssl/load.bro
@ -1,5 +1,6 @@
@load ./consts
@load ./main
@load ./mozilla-ca-list
+@load ./files

@load-sigs ./dpd.sig
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@ -0,0 +1,48 @@
+@load ./main
+@load base/utils/conn-ids
+@load base/frameworks/files
+
+module SSL;
+
+export {
+	redef record Info += {
+		## An ordered vector of file unique IDs which contains
+		## all the certificates sent over the connection
+		fuids: vector of string &log &default=string_vec();
+	};
+
+	## Default file handle provider for SSL.
+	global get_file_handle: function(c: connection, is_orig: bool): string;
+
+	## Default file describer for SSL.
+	global describe_file: function(f: fa_file): string;
+}
+
+function get_file_handle(c: connection, is_orig: bool): string
+	{
+	return cat(Analyzer::ANALYZER_SMTP, c$start_time);
+	}
+
+function describe_file(f: fa_file): string
+	{
+	# This shouldn't be needed, but just in case...
+	if ( f$source != "SSL" )
+		return "";
+
+	return "";
+	}
+
+event bro_init() &priority=5
+	{
+	Files::register_protocol(Analyzer::ANALYZER_SSL, 
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);
+	}
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+	{
+	if ( c?$ssl )
+		c$ssl$fuids[|c$ssl$fuids|] = f$id;
+
+	Files::add_analyzer(f, Files::ANALYZER_X509);
+	}