mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
ed91732e09
* origin/topic/seth/more-file-type-ident-fixes: File API updates complete. Fixes for file type identification. API changes to file analysis mime type detection. Make HTTP 206 reassembly require ETags by default. More file type identification improvements Fix an issue with files having gaps before the bof_buffer is filled. Fix an issue with packet loss in http file reporting. Adding WOFF fonts to file type identification. Extended JSON matching and added OCSP responses. Another large signature update. More signature updates. Even more file type ident clean up. Lots of fixes for file type identification. BIT-1368 #merged
80 lines
1.9 KiB
Text
80 lines
1.9 KiB
Text
@load base/frameworks/files
|
|
@load base/files/hash
|
|
|
|
module X509;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Current timestamp.
|
|
ts: time &log;
|
|
|
|
## File id of this certificate.
|
|
id: string &log;
|
|
|
|
## Basic information about the certificate.
|
|
certificate: X509::Certificate &log;
|
|
|
|
## The opaque wrapping the certificate. Mainly used
|
|
## for the verify operations.
|
|
handle: opaque of x509;
|
|
|
|
## All extensions that were encountered in the certificate.
|
|
extensions: vector of X509::Extension &default=vector();
|
|
|
|
## Subject alternative name extension of the certificate.
|
|
san: X509::SubjectAlternativeName &optional &log;
|
|
|
|
## Basic constraints extension of the certificate.
|
|
basic_constraints: X509::BasicConstraints &optional &log;
|
|
};
|
|
|
|
## Event for accessing logged records.
|
|
global log_x509: event(rec: Info);
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
|
|
}
|
|
|
|
redef record Files::Info += {
|
|
## Information about X509 certificates. This is used to keep
|
|
## certificate information until all events have been received.
|
|
x509: X509::Info &optional;
|
|
};
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
|
|
{
|
|
if ( ! f$info?$mime_type )
|
|
f$info$mime_type = "application/pkix-cert";
|
|
|
|
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
|
|
}
|
|
|
|
event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$extensions[|f$info$x509$extensions|] = ext;
|
|
}
|
|
|
|
event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$basic_constraints = ext;
|
|
}
|
|
|
|
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$san = ext;
|
|
}
|
|
|
|
event file_state_remove(f: fa_file) &priority=5
|
|
{
|
|
if ( ! f$info?$x509 )
|
|
return;
|
|
|
|
Log::write(LOG, f$info$x509);
|
|
}
|