mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
756 lines
27 KiB
ReStructuredText
756 lines
27 KiB
ReStructuredText
:tocdepth: 3
|
|
|
|
base/protocols/ssl/main.zeek
|
|
============================
|
|
.. zeek:namespace:: SSL
|
|
|
|
Base SSL analysis script. This script logs information about the SSL/TLS
|
|
handshaking and encryption establishment process.
|
|
|
|
:Namespace: SSL
|
|
:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>`
|
|
|
|
Summary
|
|
~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
======================================================================================= ===============================================================
|
|
:zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef` The Certificate Transparency log bundle.
|
|
:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, detach the SSL analyzer from the connection to prevent
|
|
continuing to process encrypted traffic.
|
|
:zeek:id:`SSL::max_ssl_history_length`: :zeek:type:`count` :zeek:attr:`&redef` Maximum length of the ssl_history field to prevent unbounded
|
|
growth when the parser is running into unexpected situations.
|
|
======================================================================================= ===============================================================
|
|
|
|
Redefinable Options
|
|
###################
|
|
================================================================== ===========================
|
|
:zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef` The default root CA bundle.
|
|
================================================================== ===========================
|
|
|
|
Types
|
|
#####
|
|
============================================= ============================================================
|
|
:zeek:type:`SSL::CTInfo`: :zeek:type:`record` The record type which contains the field for the Certificate
|
|
Transparency log bundle.
|
|
:zeek:type:`SSL::Info`: :zeek:type:`record` The record type which contains the fields of the SSL log.
|
|
============================================= ============================================================
|
|
|
|
Redefinitions
|
|
#############
|
|
==================================================================== =============================================================================
|
|
:zeek:type:`Log::ID`: :zeek:type:`enum`
|
|
|
|
* :zeek:enum:`SSL::LOG`
|
|
:zeek:type:`SSL::Info`: :zeek:type:`record`
|
|
|
|
:New Fields: :zeek:type:`SSL::Info`
|
|
|
|
delay_tokens: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
|
|
:zeek:type:`connection`: :zeek:type:`record`
|
|
|
|
:New Fields: :zeek:type:`connection`
|
|
|
|
ssl: :zeek:type:`SSL::Info` :zeek:attr:`&optional`
|
|
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
|
|
==================================================================== =============================================================================
|
|
|
|
Events
|
|
######
|
|
=========================================== =================================================
|
|
:zeek:id:`SSL::log_ssl`: :zeek:type:`event` Event that can be handled to access the SSL
|
|
record as it is sent on to the logging framework.
|
|
=========================================== =================================================
|
|
|
|
Hooks
|
|
#####
|
|
============================================================ ====================================================================
|
|
:zeek:id:`SSL::finalize_ssl`: :zeek:type:`Conn::RemovalHook` SSL finalization hook.
|
|
:zeek:id:`SSL::log_policy`: :zeek:type:`Log::PolicyHook`
|
|
:zeek:id:`SSL::ssl_finishing`: :zeek:type:`hook` Hook that can be used to perform actions right before the log record
|
|
is written.
|
|
============================================================ ====================================================================
|
|
|
|
Functions
|
|
#########
|
|
================================================== ====================================================================
|
|
:zeek:id:`SSL::delay_log`: :zeek:type:`function` Delays an SSL record for a specific token: the record will not be
|
|
logged as long as the token exists or until 15 seconds elapses.
|
|
:zeek:id:`SSL::undelay_log`: :zeek:type:`function` Undelays an SSL record for a previously inserted token, allowing the
|
|
record to be logged.
|
|
================================================== ====================================================================
|
|
|
|
|
|
Detailed Interface
|
|
~~~~~~~~~~~~~~~~~~
|
|
Runtime Options
|
|
###############
|
|
.. zeek:id:: SSL::ct_logs
|
|
:source-code: base/protocols/ssl/main.zeek 139 139
|
|
|
|
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`SSL::CTInfo`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``{}``
|
|
:Redefinition: from :doc:`/scripts/base/protocols/ssl/ct-list.zeek`
|
|
|
|
<< Value omitted due to ``@docs_omit_value`` annotation >>
|
|
|
|
The Certificate Transparency log bundle. By default, the ct-list.zeek
|
|
script sets this to the current list of known logs. Entries
|
|
are indexed by (binary) log-id.
|
|
|
|
.. zeek:id:: SSL::disable_analyzer_after_detection
|
|
:source-code: base/protocols/ssl/main.zeek 144 144
|
|
|
|
:Type: :zeek:type:`bool`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``T``
|
|
:Redefinition: from :doc:`/scripts/policy/protocols/ssl/decryption.zeek`
|
|
|
|
``=``::
|
|
|
|
F
|
|
|
|
:Redefinition: from :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek`
|
|
|
|
``=``::
|
|
|
|
F
|
|
|
|
|
|
If true, detach the SSL analyzer from the connection to prevent
|
|
continuing to process encrypted traffic. Helps with performance
|
|
(especially with large file transfers).
|
|
|
|
.. zeek:id:: SSL::max_ssl_history_length
|
|
:source-code: base/protocols/ssl/main.zeek 148 148
|
|
|
|
:Type: :zeek:type:`count`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``100``
|
|
|
|
Maximum length of the ssl_history field to prevent unbounded
|
|
growth when the parser is running into unexpected situations.
|
|
|
|
Redefinable Options
|
|
###################
|
|
.. zeek:id:: SSL::root_certs
|
|
:source-code: base/protocols/ssl/main.zeek 119 119
|
|
|
|
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
|
|
:Attributes: :zeek:attr:`&redef`
|
|
:Default: ``{}``
|
|
:Redefinition: from :doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
|
|
|
|
<< Value omitted due to ``@docs_omit_value`` annotation >>
|
|
|
|
The default root CA bundle. By default, the mozilla-ca-list.zeek
|
|
script sets this to Mozilla's root CA list.
|
|
|
|
Types
|
|
#####
|
|
.. zeek:type:: SSL::CTInfo
|
|
:source-code: base/protocols/ssl/main.zeek 123 134
|
|
|
|
:Type: :zeek:type:`record`
|
|
|
|
|
|
.. zeek:field:: description :zeek:type:`string`
|
|
|
|
Description of the Log
|
|
|
|
|
|
.. zeek:field:: operator :zeek:type:`string`
|
|
|
|
Operator of the Log
|
|
|
|
|
|
.. zeek:field:: key :zeek:type:`string`
|
|
|
|
Public key of the Log.
|
|
|
|
|
|
.. zeek:field:: maximum_merge_delay :zeek:type:`count`
|
|
|
|
Maximum merge delay of the Log
|
|
|
|
|
|
.. zeek:field:: url :zeek:type:`string`
|
|
|
|
URL of the Log
|
|
|
|
|
|
The record type which contains the field for the Certificate
|
|
Transparency log bundle.
|
|
|
|
.. zeek:type:: SSL::Info
|
|
:source-code: base/protocols/ssl/main.zeek 16 115
|
|
|
|
:Type: :zeek:type:`record`
|
|
|
|
|
|
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
|
|
|
|
Time when the SSL connection was first detected.
|
|
|
|
|
|
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
|
|
|
|
Unique ID for the connection.
|
|
|
|
|
|
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
|
|
|
|
The connection's 4-tuple of endpoint addresses/ports.
|
|
|
|
|
|
.. zeek:field:: version_num :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
Numeric SSL/TLS version that the server chose.
|
|
|
|
|
|
.. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
SSL/TLS version that the server chose.
|
|
|
|
|
|
.. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
SSL/TLS cipher suite that the server chose.
|
|
|
|
|
|
.. zeek:field:: curve :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Elliptic curve the server chose when using ECDH/ECDHE.
|
|
|
|
|
|
.. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Value of the Server Name Indicator SSL/TLS extension. It
|
|
indicates the server name that the client was requesting.
|
|
|
|
|
|
.. zeek:field:: session_id :zeek:type:`string` :zeek:attr:`&optional`
|
|
|
|
Session ID offered by the client for session resumption.
|
|
Not used for logging.
|
|
|
|
|
|
.. zeek:field:: resumed :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate if the session was resumed reusing
|
|
the key material exchanged in an earlier connection.
|
|
|
|
|
|
.. zeek:field:: client_ticket_empty_session_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate if we saw a non-empty session ticket being
|
|
sent by the client using an empty session ID. This value
|
|
is used to determine if a session is being resumed. It's
|
|
not logged.
|
|
|
|
|
|
.. zeek:field:: client_key_exchange_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate if we saw a client key exchange message sent
|
|
by the client. This value is used to determine if a session
|
|
is being resumed. It's not logged.
|
|
|
|
|
|
.. zeek:field:: client_psk_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Track if the client sent a pre-shared-key extension.
|
|
Used to determine if a TLS 1.3 session is being resumed.
|
|
Not logged.
|
|
|
|
|
|
.. zeek:field:: last_alert :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Last alert that was seen during the connection.
|
|
|
|
|
|
.. zeek:field:: next_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
Next protocol the server chose using the application layer
|
|
next protocol extension, if present.
|
|
|
|
|
|
.. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
The analyzer ID used for the analyzer instance attached
|
|
to each connection. It is not used for logging since it's a
|
|
meaningless arbitrary number.
|
|
|
|
|
|
.. zeek:field:: established :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate if this ssl session has been established
|
|
successfully, or if it was aborted during the handshake.
|
|
|
|
|
|
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate if this record already has been logged, to
|
|
prevent duplicates.
|
|
|
|
|
|
.. zeek:field:: hrr_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
Flag to indicate that we have seen a Hello Retry request message.
|
|
Used internally for ssl_history logging
|
|
|
|
|
|
.. zeek:field:: ssl_history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
|
|
|
|
SSL history showing which types of packets we received in which order.
|
|
Letters have the following meaning with client-sent letters being capitalized:
|
|
|
|
A direction flip occurs when the client hello packet is not sent from the originator
|
|
of a connection. This can, e.g., occur when DTLS is used in a connection that was
|
|
set up using STUN.
|
|
|
|
====== ====================================================
|
|
Letter Meaning
|
|
====== ====================================================
|
|
^ direction flipped
|
|
H hello_request
|
|
C client_hello
|
|
S server_hello
|
|
V hello_verify_request
|
|
T NewSessionTicket
|
|
X certificate
|
|
K server_key_exchange
|
|
R certificate_request
|
|
N server_hello_done
|
|
Y certificate_verify
|
|
G client_key_exchange
|
|
F finished
|
|
W certificate_url
|
|
U certificate_status
|
|
A supplemental_data
|
|
Z unassigned_handshake_type
|
|
I change_cipher_spec
|
|
B heartbeat
|
|
D application_data
|
|
E end_of_early_data
|
|
O encrypted_extensions
|
|
P key_update
|
|
M message_hash
|
|
J hello_retry_request
|
|
L alert
|
|
Q unknown_content_type
|
|
====== ====================================================
|
|
|
|
|
|
|
|
.. zeek:field:: delay_tokens :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
|
|
|
|
|
|
.. zeek:field:: cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Chain of certificates offered by the server to validate its
|
|
complete signing chain.
|
|
|
|
|
|
.. zeek:field:: cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
An ordered vector of all certificate fingerprints for the
|
|
certificates offered by the server.
|
|
|
|
|
|
.. zeek:field:: client_cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Chain of certificates offered by the client to validate its
|
|
complete signing chain.
|
|
|
|
|
|
.. zeek:field:: client_cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
An ordered vector of all certificate fingerprints for the
|
|
certificates offered by the client.
|
|
|
|
|
|
.. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Subject of the X.509 certificate offered by the server.
|
|
|
|
|
|
.. zeek:field:: issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Issuer of the signer of the X.509 certificate offered by the
|
|
server.
|
|
|
|
|
|
.. zeek:field:: client_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Subject of the X.509 certificate offered by the client.
|
|
|
|
|
|
.. zeek:field:: client_issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Subject of the signer of the X.509 certificate offered by the
|
|
client.
|
|
|
|
|
|
.. zeek:field:: sni_matches_cert :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Set to true if the hostname sent in the SNI matches the certificate.
|
|
Set to false if they do not match. Unset if the client did not send
|
|
an SNI.
|
|
|
|
|
|
.. zeek:field:: server_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
Current number of certificates seen from either side. Used
|
|
to create file handles.
|
|
|
|
|
|
.. zeek:field:: client_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: always_raise_x509_events :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek` is loaded)
|
|
|
|
Set to true to force certificate events to always be raised for this connection.
|
|
|
|
|
|
.. zeek:field:: requested_client_certificate_authorities :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/certificate-request-info.zeek` is loaded)
|
|
|
|
List of client certificate CAs accepted by the server
|
|
|
|
|
|
.. zeek:field:: client_random :zeek:type:`string` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/decryption.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: last_originator_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: last_responder_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: originator_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: responder_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: heartbleed_detected :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: enc_appdata_packages :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: enc_appdata_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
|
|
|
|
|
|
.. zeek:field:: server_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Numeric version of the server in the server hello
|
|
|
|
|
|
.. zeek:field:: client_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Numeric version of the client in the client hello
|
|
|
|
|
|
.. zeek:field:: client_ciphers :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Ciphers that were offered by the client for the connection
|
|
|
|
|
|
.. zeek:field:: ssl_client_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
SSL Client extensions
|
|
|
|
|
|
.. zeek:field:: ssl_server_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
SSL server extensions
|
|
|
|
|
|
.. zeek:field:: ticket_lifetime_hint :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Suggested ticket lifetime sent in the session ticket handshake
|
|
by the server.
|
|
|
|
|
|
.. zeek:field:: dh_param_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
The diffie helman parameter size, when using DH.
|
|
|
|
|
|
.. zeek:field:: point_formats :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
supported elliptic curve point formats
|
|
|
|
|
|
.. zeek:field:: client_curves :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
The curves supported by the client.
|
|
|
|
|
|
.. zeek:field:: orig_alpn :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Application layer protocol negotiation extension sent by the client.
|
|
|
|
|
|
.. zeek:field:: client_supported_versions :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
TLS 1.3 supported versions
|
|
|
|
|
|
.. zeek:field:: server_supported_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
TLS 1.3 supported versions
|
|
|
|
|
|
.. zeek:field:: psk_key_exchange_modes :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
TLS 1.3 Pre-shared key exchange modes
|
|
|
|
|
|
.. zeek:field:: client_key_share_groups :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Key share groups from client hello
|
|
|
|
|
|
.. zeek:field:: server_key_share_group :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Selected key share group from server hello
|
|
|
|
|
|
.. zeek:field:: client_comp_methods :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Client supported compression methods
|
|
|
|
|
|
.. zeek:field:: comp_method :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Server chosen compression method
|
|
|
|
|
|
.. zeek:field:: sigalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Client supported signature algorithms
|
|
|
|
|
|
.. zeek:field:: hashalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
|
|
|
|
Client supported hash algorithms
|
|
|
|
|
|
.. zeek:field:: validation_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
|
|
|
|
Result of certificate validation for this connection.
|
|
|
|
|
|
.. zeek:field:: validation_code :zeek:type:`int` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
|
|
|
|
Result of certificate validation for this connection, given
|
|
as OpenSSL validation code.
|
|
|
|
|
|
.. zeek:field:: valid_chain :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
|
|
|
|
Ordered chain of validated certificate, if validation succeeded.
|
|
|
|
|
|
.. zeek:field:: ocsp_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
|
|
|
|
Result of ocsp validation for this connection.
|
|
|
|
|
|
.. zeek:field:: ocsp_response :zeek:type:`string` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
|
|
|
|
ocsp response as string.
|
|
|
|
|
|
.. zeek:field:: valid_scts :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
Number of valid SCTs that were encountered in the connection.
|
|
|
|
|
|
.. zeek:field:: invalid_scts :zeek:type:`count` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
Number of SCTs that could not be validated that were encountered in the connection.
|
|
|
|
|
|
.. zeek:field:: valid_ct_logs :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
Number of different Logs for which valid SCTs were encountered in the connection.
|
|
|
|
|
|
.. zeek:field:: valid_ct_operators :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
Number of different Log operators of which valid SCTs were encountered in the connection.
|
|
|
|
|
|
.. zeek:field:: valid_ct_operators_list :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
List of operators for which valid SCTs were encountered in the connection.
|
|
|
|
|
|
.. zeek:field:: ct_proofs :zeek:type:`vector` of :zeek:type:`SSL::SctInfo` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
|
|
|
|
(present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
|
|
|
|
Information about all SCTs that were encountered in the connection.
|
|
|
|
|
|
The record type which contains the fields of the SSL log.
|
|
|
|
Events
|
|
######
|
|
.. zeek:id:: SSL::log_ssl
|
|
:source-code: base/protocols/ssl/main.zeek 160 160
|
|
|
|
:Type: :zeek:type:`event` (rec: :zeek:type:`SSL::Info`)
|
|
|
|
Event that can be handled to access the SSL
|
|
record as it is sent on to the logging framework.
|
|
|
|
Hooks
|
|
#####
|
|
.. zeek:id:: SSL::finalize_ssl
|
|
:source-code: base/protocols/ssl/main.zeek 517 527
|
|
|
|
:Type: :zeek:type:`Conn::RemovalHook`
|
|
|
|
SSL finalization hook. Remaining SSL info may get logged when it's called.
|
|
The :zeek:see:`SSL::ssl_finishing` hook may either
|
|
be called before this finalization hook for established SSL connections
|
|
or during this finalization hook for SSL connections may have info still
|
|
left to log.
|
|
|
|
.. zeek:id:: SSL::log_policy
|
|
:source-code: base/protocols/ssl/main.zeek 13 13
|
|
|
|
:Type: :zeek:type:`Log::PolicyHook`
|
|
|
|
|
|
.. zeek:id:: SSL::ssl_finishing
|
|
:source-code: base/protocols/ssl/main.zeek 164 164
|
|
|
|
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
|
|
|
|
Hook that can be used to perform actions right before the log record
|
|
is written.
|
|
|
|
Functions
|
|
#########
|
|
.. zeek:id:: SSL::delay_log
|
|
:source-code: base/protocols/ssl/main.zeek 227 232
|
|
|
|
:Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
|
|
|
|
Delays an SSL record for a specific token: the record will not be
|
|
logged as long as the token exists or until 15 seconds elapses.
|
|
|
|
.. zeek:id:: SSL::undelay_log
|
|
:source-code: base/protocols/ssl/main.zeek 234 238
|
|
|
|
:Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
|
|
|
|
Undelays an SSL record for a previously inserted token, allowing the
|
|
record to be logged.
|
|
|
|
|