mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
add a file analyzer to parse ocsp request and response
add two events: ocsp_request and ocsp_response
This commit is contained in:
Liang Zhu
parent
668f3e38ad
commit
e9baddfd6b
15 changed files with 833 additions and 1 deletions
1
scripts/base/files/ocsp/README
Normal file
1
scripts/base/files/ocsp/README
Normal file
|
|
@ -0,0 +1 @@
|
|||
Support for ocsp file analysis framework.
|
||||
1
scripts/base/files/ocsp/__load__.bro
Normal file
1
scripts/base/files/ocsp/__load__.bro
Normal file
|
|
@ -0,0 +1 @@
|
|||
@load ./main
|
||||
11
scripts/base/files/ocsp/main.bro
Normal file
11
scripts/base/files/ocsp/main.bro
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
@load base/frameworks/files
|
||||
@load base/utils/paths
|
||||
|
||||
module FileOCSP;
|
||||
|
||||
export {
|
||||
## add one more argument to indicate is ocsp response or request
|
||||
redef record Files::AnalyzerArgs += {
|
||||
ocsp_type: string &optional;
|
||||
};
|
||||
}
|
||||
|
|
@ -2927,6 +2927,50 @@ export {
|
|||
};
|
||||
}
|
||||
|
||||
|
||||
module OCSP;
|
||||
export {
|
||||
type OneReq: record {
|
||||
hashAlgorithm: string &log;
|
||||
issuerNameHash: string &log;
|
||||
issuerKeyHash: string &log;
|
||||
serialNumber: string &log;
|
||||
#RequestExtensions: xxx
|
||||
};
|
||||
type Request: record {
|
||||
version: count &log &optional;
|
||||
requestorName: string &log &optional;
|
||||
requestList: vector of OneReq;
|
||||
#requestExtensions: xxx
|
||||
};
|
||||
type SingleResp: record {
|
||||
hashAlgorithm: string &log;
|
||||
issuerNameHash: string &log;
|
||||
issuerKeyHash: string &log;
|
||||
serialNumber: string &log;
|
||||
certStatus: string &log;
|
||||
thisUpdate: string &log;
|
||||
nextUpdate: string &log &optional;
|
||||
#Extensions: xxx
|
||||
};
|
||||
type Response: record {
|
||||
responseStatus: string &log;
|
||||
responseType: string &log;
|
||||
version: count &log;
|
||||
responderID: string &log;
|
||||
producedAt: string &log;
|
||||
responses: vector of SingleResp;
|
||||
#responseExtensions:xxx
|
||||
signatureAlgorithm: string &log;
|
||||
signature: string; #&log;
|
||||
};
|
||||
}
|
||||
|
||||
module GLOBAL;
|
||||
type ocsp_req_vec: vector of OCSP::OneReq;
|
||||
type ocsp_resp_vec: vector of OCSP::SingleResp;
|
||||
|
||||
|
||||
module SOCKS;
|
||||
export {
|
||||
## This record is for a SOCKS client or server to provide either a
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@
|
|||
@load base/files/extract
|
||||
@load base/files/unified2
|
||||
@load base/files/x509
|
||||
@load base/files/ocsp
|
||||
|
||||
@load base/misc/find-checksum-offloading
|
||||
@load base/misc/find-filtered-trace
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue