Commit graph

141 commits

Author SHA1 Message Date
Johanna Amann
7c012f9b91 Merge branch 'master' of https://github.com/mmguero-dev/zeek
* 'master' of https://github.com/mmguero-dev/zeek:
  check for the existance of f?$conns in file_sniff event in policy/protocols/ssl/log-hostcerts-only.zeek
2020-04-16 12:59:12 -07:00
SG
42bf41aca1 check for the existance of f?$conns in file_sniff event in policy/protocols/ssl/log-hostcerts-only.zeek
In using the corelight/bro-xor-exe-plugin (https://github.com/corelight/bro-xor-exe-plugin) I noticed this error when running the PCAP trace file in its tests directory:

1428602842.525435 expression error in /opt/zeek/share/zeek/policy/protocols/ssl/log-hostcerts-only.zeek, line 44: field value missing (X509::f$conns)

Examining log-hostcerts-only.zeek, I saw that although f$conns is being checked for length, it's not being checked to see if it exists first.

This commit changes "if ( |f$conns| != 1 )" to "if (( ! f?$conns ) || ( |f$conns| != 1 ))" so that the script returns if there is no f$conns field.

In my local testing, this seems to fix the error. My testing was being done with v3.0.5, but I think this patch can be applied to both the 3.0.x and 3.1.x branches.
2020-04-16 10:19:59 -06:00
Jon Siwek
1ce0fcce49 GH-387: update Broker topic names to use "zeek/" prefix 2019-05-29 15:56:37 -07:00
Daniel Thayer
be182aac83 More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
Jon Siwek
aebcb1415d GH-234: rename Broxygen to Zeexygen along with roles/directives
* All "Broxygen" usages have been replaced in
  code, documentation, filenames, etc.

* Sphinx roles/directives like ":bro:see" are now ":zeek:see"

* The "--broxygen" command-line option is now "--zeexygen"
2019-04-22 19:45:50 -07:00
Jon Siwek
a994be9eeb Merge remote-tracking branch 'origin/topic/seth/zeek_init'
* origin/topic/seth/zeek_init:
  Some more testing fixes.
  Update docs and tests for bro_(init|done) -> zeek_(init|done)
  Implement the zeek_init handler.
2019-04-19 11:24:29 -07:00
Seth Hall
8cefb9be42 Implement the zeek_init handler.
Implements the change and a test.
2019-04-14 08:37:35 -04:00
Daniel Thayer
18bd74454b Rename all scripts to have ".zeek" file extension 2019-04-11 21:12:40 -05:00
Jon Siwek
01d303b480 Migrate table-based for-loops to key-value iteration 2019-03-15 19:54:44 -07:00
Johanna Amann
2e2f611df5 Merge branch 'master' of https://github.com/hosom/zeek
* 'master' of https://github.com/hosom/zeek:
  Add fuid to SSL:Invalid_Server_Cert notice
2019-01-29 14:52:34 -08:00
Stephen Hosom
e30a02e186 Add fuid to SSL:Invalid_Server_Cert notice
This is a very basid quality of life improvement. It should make it
much easier to find additional information about the certificate
in question.
2019-01-29 13:34:51 -05:00
Jon Siwek
0cc5e4e044 Add missing record field comment 2018-10-26 10:42:05 -05:00
Johanna Amann
27d47314f7 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-27 09:25:40 -07:00
Daniel Thayer
01a899255e Convert more redef-able constants to runtime options 2018-08-24 16:05:44 -05:00
Johanna Amann
b2a0418dc5 Final touches to SSL events with record layer version. 2018-08-23 14:18:38 -07:00
Johanna Amann
aa2488fb69 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-20 16:10:21 -07:00
Johanna Amann
b1dbd757a6 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-17 11:52:00 -07:00
Daniel Thayer
dc0904a7f3 Convert some redef-able constants to runtime options 2018-08-15 10:17:14 -05:00
Jon Siwek
a2f8d81fb6 Fix validate-certs.bro comments 2018-08-13 10:20:58 -05:00
Jon Siwek
e6042940dc Fix (non)suppression of proxy-bound events in known-*.bro scripts
When not using data stores, these scripts were intended to suppress
sending duplicate events to proxies by looking up the key in the local
cache.
2018-08-06 17:04:42 -05:00
Vern Paxson
88fd7510c6 reap the fruits of v += e 2018-07-26 12:51:36 -07:00
Johanna Amann
1fec186c39 Fix SCT validation when invalid certificates are in chain.
At the moment it would try to access an unset optional in this case.
2018-05-31 14:58:46 -07:00
Robin Sommer
fe7e1ee7f0 Merge topic/actor-system throug a squashed commit. 2018-05-18 22:39:23 +00:00
Robin Sommer
faa4150154 Merge remote-tracking branch 'origin/topic/johanna/ocsp-sct-validate'
Closes #1830.

* origin/topic/johanna/ocsp-sct-validate: (82 commits)
  Tiny script changes for SSL.
  Update CT Log list
  SSL: Update OCSP/SCT scripts and documentation.
  Revert "add parameter 'status_type' to event ssl_stapled_ocsp"
  Revert "parse multiple OCSP stapling responses"
  SCT: Fix script error when mime type of file unknown.
  SCT: another memory leak in SCT parsing.
  SCT validation: fix small memory leak (public keys were not freed)
  Change end-of-connection handling for validation
  OCSP/TLS/SCT: Fix a number of test failures.
  SCT Validate: make caching a bit less aggressive.
  SSL: Fix type of ssl validation result
  TLS-SCT: compile on old versions of OpenSSL (1.0.1...)
  SCT: Add caching support for validation
  SCT: Add signed certificate timestamp validation script.
  SCT: Allow verification of SCTs in Certs.
  SCT: only compare correct OID/NID for Cert/OCSP.
  SCT: add validation of proofs for extensions and OCSP.
  SCT: pass timestamp as uint64 instead of time
  Add CT log information to Bro
  ...
2017-07-30 08:49:41 -07:00
Johanna Amann
db15773c09 Tiny script changes for SSL.
log-hostcerts-only relied on old event ordering; the identifier key of
validate-certs is now shorter (no function change, just potentially a
tiny bit faster).
2017-07-28 09:21:35 -07:00
Johanna Amann
9594f69598 SSL: Update OCSP/SCT scripts and documentation. 2017-07-27 16:22:40 -07:00
Johanna Amann
9126376581 Revert "add parameter 'status_type' to event ssl_stapled_ocsp"
This reverts commit 545848d906.

Revert further part of stapled OCSP response handling that probably
never worked.
2017-07-27 15:12:19 -07:00
Johanna Amann
0107ad6c31 Merge branch 'topic/johanna/ocsp-sct-validate' of ssh://git.bro.org/bro into topic/johanna/ocsp-sct-validate 2017-05-14 08:07:18 -07:00
Johanna Amann
eb50b3fed1 Change end-of-connection handling for validation
Move from using CCS (before: established) to just doing certificate
validation at the end of the connection.

This is (again) more robust in the case of aborted connection. I am
moving this into a hook because of the complexity of the
end-of-connection handling for SSL.

This should probably be extended to not just handle SSL validation, but
all other logging constructs that are currently called in _established.
2017-05-11 22:50:20 -07:00
Johanna Amann
876f492a35 OCSP/TLS/SCT: Fix a number of test failures.
These were caused by earlier code updates.

This commit also removes the ocsp stapling logging script; it was
defunctional and the information provided by it wnever really has been
especially interesting.
2017-05-06 08:01:20 -07:00
Johanna Amann
a334247478 SCT Validate: make caching a bit less aggressive.
This triggers a re-validation of the SCT when the certificate validation
status changed. This means that a SCT will show as valid if the
certificate chain could be validated and can now be used to determine
the correct issuer key hash.
2017-05-03 22:06:24 -07:00
Johanna Amann
d531a5405a SSL: Fix type of ssl validation result 2017-03-29 12:40:14 -07:00
Johanna Amann
aec62aeee9 SCT: Add caching support for validation 2017-03-29 09:17:30 -07:00
Johanna Amann
22b1eda472 SCT: Add signed certificate timestamp validation script.
This also rewrites the certificate validation script (which we need for
this) slightly.

This could need a bit of caching, but should generally work very
reliably.
2017-03-29 09:17:30 -07:00
Johanna Amann
115a676d08 SCT: Allow verification of SCTs in Certs.
This is much more complex than the TLS Extension/OCSP cases. We need to
first alter the certificate and remove the extension from it, before
extracting the tbscert. Furthermore, we need the key hash of the issuing
certificate to be able to validate the proof - which means that we need
a valid certificate chain.

Missing: documentation, nice integration so that we can just add a
script and use this in Bro.
2017-03-29 09:17:24 -07:00
Johanna Amann
9c6cebf324 OCSP: a bunch of whitespace fixes 2017-02-10 17:03:04 -08:00
Johanna Amann
c670613996 Make OCSP analyzer part of the X.509 analyzer
This allows the easier integration of shared functionality. And it also
makes logical sense, given that OCSP is not interesting without X.509.
2017-02-10 17:02:15 -08:00
Johanna Amann
dfc871f831 Merge remote-tracking branch 'origin/master' into topic/johanna/ocsp 2017-02-08 10:35:12 -08:00
Johanna Amann
c05e07cc90 Add record layer version to event ssl_encrypted_data.
This exposes the record layer version of the fragment in addition to the
content type and the length. The ordering of the arguments in the event
is the same as the ordering in the protocol message (first type, then
version, then length).

This also includes a slight change to the analyzer, no longer calling
the generate function if the event is not used.
2017-02-03 13:45:40 -08:00
Daniel Thayer
5745213326 Fix minor typos in documentation of various scripts 2016-11-11 14:08:17 -06:00
Johanna Amann
d92fd52b35 Remove measurement scripts 2015-12-14 16:06:31 -08:00
Johanna Amann
c93a9fbebd Log only local-originated IPs. 2015-12-08 14:55:50 -08:00
Liang Zhu
cdc812074c fix data structure recursion 2015-08-19 11:38:34 -07:00
Liang Zhu
d45558d2a1 log the number of certs in OCSP response 2015-08-18 21:44:52 -07:00
Liang Zhu
5d168792ee deal with bug url 2015-07-28 16:20:38 -07:00
Liang Zhu
cea1b62a9a small bug fix 2015-07-21 23:38:56 -07:00
Liang Zhu
462f6608a8 log the time for server first encrypted application data 2015-07-21 14:44:33 -07:00
Liang Zhu
5f2cb840d7 add user_agent to ocsp-to-match log 2015-07-20 16:55:19 -07:00
Liang Zhu
fa654121ec fix url parsing bug 2015-07-20 15:46:21 -07:00
Liang Zhu
4e8d15d8d1 small bug fix 2015-07-18 01:53:28 -07:00