Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
zeek/testing/btest/scripts/base/files/x509/disable-certificate-events-known-certs.zeek
Johanna Amann e58b03a43f Add policy script suppressing certificate events 
The added disable-certificate-events-known-certs.zeek disables repeated
X509 events in SSL connections, given that the connection terminates at
the same server and used the samt SNI as a previously seen connection
with the same certificate.

For people that see significant amounts of TLS 1.2 traffic, this could
reduce the amount of raised events significantly - especially when a
lot of connections are repeat connections to the same servers.

The practical impact of not raising these events is actually very little
- unless a script directly interacts with the x509 events, everything
works as before - the x509 variables in the connection records are still
being set (from the cache).
2021-06-29 11:39:18 +01:00

46 lines
1.3 KiB
Text
Raw Blame History

# @TEST-EXEC: zeek -b -C -r $TRACES/tls/google-cert-repeat.pcap common.zeek %INPUT
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log
# @TEST-EXEC: btest-diff .stdout
@TEST-START-FILE common.zeek
@load base/protocols/ssl
@load protocols/ssl/validate-certs.zeek
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
{
print "x509_certificate", cert$subject;
}
hook SSL::ssl_finishing(c: connection)
{
print "finishing", c$ssl$cert_chain[0]$x509$certificate$subject;
}
hook X509::x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string) &priority=5
{
print "Hook for", e$certificate$subject;
}
@TEST-END-FILE
# First: Plain, no changes - certificate event caching won't even engage.
# @TEST-START-NEXT
# Second - engage certificate caching.
# Log files and events are unchanged - but the replay hook engages
redef X509::caching_required_encounters = 1;
redef X509::certificate_cache_minimum_eviction_interval = 11min;
# @TEST-START-NEXT
# Third - load policy script to not raise events
# Log files are unchanged; events are not raised from the third time.
redef X509::caching_required_encounters = 1;
redef X509::certificate_cache_minimum_eviction_interval = 11min;
@load policy/files/x509/disable-certificate-events-known-certs
Reference in a new issue View git blame Copy permalink