Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
zeek/policy/protocols/ssl/base.bro
Seth Hall aaab2f8cbb Fixed some more script bugs and more cleanup.
2011-06-01 15:04:05 -04:00

74 lines
2.7 KiB
Text
Raw Blame History

module SSL;
export {
## This is the root CA bundle. By default it is Mozilla's full trusted
## root CA list.
# TODO: move the mozilla_root_certs setting into the mozilla file.
#print mozilla_root_certs;
const root_certs: table[string] of string = {} &redef;
#const root_certs: table[string] of string = {} &redef;
## This is where you can define root certificates that you want to validate
## against servers. For example, you may have a policy that states that
## all local certificates must be signed by a specific signing authority.
## If you specify your local networks with only the specific authority
## or authorities your policy stipulates here, certificates signed by any
## other key will not validate. By default, all servers are validated
## against the full ``root_certs`` bundle.
#const server_validation: table[subnet] of table[string] of string =
# { [0.0.0.0/0] = root_certs } &redef;
## This is where you can define root certificates that you want to validate
## against clients. This is still doing validation against the server
## certificate chain, but this allows you to define a restricted
## list of signing certificate that clients should be seen connecting to.
## For example, you may have a tightly controlled network
## that you **never** want to establish SSL sessions using anything other
## than certificates signed by a very select list of certificate
## authorities. You can define the networks in this variable along with
## key signing certificates with which they should be allowed to establish
## SSL connections. By default, all client connections are validated
## against the full ``root_certs`` bundle.
#const client_validation: table[subnet] of table[string] of string =
# { [0.0.0.0/0] = root_certs } &redef;
}
# TODO: add the script for this and generate on one to ship.
#@load mozilla-root-certs
redef capture_filters += {
["ssl"] = "tcp port 443",
["nntps"] = "tcp port 563",
["imap4-ssl"] = "tcp port 585",
["sshell"] = "tcp port 614",
["ldaps"] = "tcp port 636",
["ftps-data"] = "tcp port 989",
["ftps"] = "tcp port 990",
["telnets"] = "tcp port 992",
["imaps"] = "tcp port 993",
["ircs"] = "tcp port 994",
["pop3s"] = "tcp port 995"
};
global ssl_ports = {
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
} &redef;
redef dpd_config += {
[[ANALYZER_SSL]] = [$ports = ssl_ports]
};
#redef SSL::client_validation += table(
# [128.146.0.0/16] = table(
# ["LOCAL_DER_CERT"] = "ADFADFWEAFASDFASDFA",
# ["LOCAL_DER_CERT2"] = "ADFADFWEAFASDFASDFA" )
# #["DER_CERT_1"] = SSL::root_certs["DER_CERT_1"],
# #["LOCAL_DER_CERT"] = "ADFADFWEAFASDFASDFA"},
#);
Reference in a new issue View git blame Copy permalink