mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
1bd658da8f
This adds a "policy" hook into the logging framework's streams and
filters to replace the existing log filter predicates. The hook
signature is as follows:
hook(rec: any, id: Log::ID, filter: Log::Filter);
The logging manager invokes hooks on each log record. Hooks can veto
log records via a break, and modify them if necessary. Log filters
inherit the stream-level hook, but can override or remove the hook as
needed.
The distribution's existing log streams now come with pre-defined
hooks that users can add handlers to. Their name is standardized as
"log_policy" by convention, with additional suffixes when a module
provides multiple streams. The following adds a handler to the Conn
module's default log policy hook:
hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
{
if ( some_veto_reason(rec) )
break;
}
By default, this handler will get invoked for any log filter
associated with the Conn::LOG stream.
The existing predicates are deprecated for removal in 4.1 but continue
to work.
64 lines
2.3 KiB
Text
64 lines
2.3 KiB
Text
##! Enable logging of OCSP responses.
|
|
#
|
|
# This script is in policy and not loaded by default because OCSP logging
|
|
# does not provide a lot of interesting information in most environments.
|
|
|
|
module OCSP;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
global log_policy: Log::PolicyHook;
|
|
|
|
## The record type which contains the fields of the OCSP log.
|
|
type Info: record {
|
|
## Time when the OCSP reply was encountered.
|
|
ts: time &log;
|
|
## File id of the OCSP reply.
|
|
id: string &log;
|
|
## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
|
|
hashAlgorithm: string &log;
|
|
## Hash of the issuer's distingueshed name.
|
|
issuerNameHash: string &log;
|
|
## Hash of the issuer's public key.
|
|
issuerKeyHash: string &log;
|
|
## Serial number of the affected certificate.
|
|
serialNumber: string &log;
|
|
## Status of the affected certificate.
|
|
certStatus: string &log;
|
|
## Time at which the certificate was revoked.
|
|
revoketime: time &log &optional;
|
|
## Reason for which the certificate was revoked.
|
|
revokereason: string &log &optional;
|
|
## The time at which the status being shows is known to have been correct.
|
|
thisUpdate: time &log;
|
|
## The latest time at which new information about the status of the certificate will be available.
|
|
nextUpdate: time &log &optional;
|
|
};
|
|
|
|
## Event that can be handled to access the OCSP record
|
|
## as it is sent to the logging framework.
|
|
global log_ocsp: event(rec: Info);
|
|
}
|
|
|
|
event zeek_init() &priority=5
|
|
{
|
|
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
|
|
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
|
}
|
|
|
|
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
|
|
{
|
|
local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
|
|
$issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
|
|
$thisUpdate=thisUpdate);
|
|
|
|
if ( revokereason != "" )
|
|
wr$revokereason = revokereason;
|
|
if ( time_to_double(revoketime) != 0 )
|
|
wr$revoketime = revoketime;
|
|
if ( time_to_double(nextUpdate) != 0 )
|
|
wr$nextUpdate = nextUpdate;
|
|
|
|
Log::write(LOG, wr);
|
|
}
|