mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
21e0d777b3
* accessing * across * adding * additional * addresses * afterwards * analyzer * ancillary * answer * associated * attempts * because * belonging * buffer * cleanup * committed * connects * database * destination * destroy * distinguished * encoded * entries * entry * hopefully * image * include * incorrect * information * initial * initiate * interval * into * java * negotiation * nodes * nonexistent * ntlm * occasional * omitted * otherwise * ourselves * paragraphs * particular * perform * received * receiver * referring * release * repetitions * request * responded * retrieval * running * search * separate * separator * should * synchronization * target * that * the * threshold * timeout * transaction * transferred * transmission * triggered * vetoes * virtual Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
19 lines
545 B
Text
19 lines
545 B
Text
##! This script is used to extract certificates seen on the wire to Zeek log files.
|
|
##! The certificates are base64-encoded and written to ssl.log, to the newly added cert
|
|
##! field.
|
|
|
|
@load base/protocols/ssl
|
|
@load base/files/x509
|
|
|
|
redef record X509::Info += {
|
|
## Base64 encoded X.509 certificate.
|
|
cert: string &log &optional;
|
|
};
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=1
|
|
{
|
|
if ( ! f$info?$x509 )
|
|
return;
|
|
|
|
f$info$x509$cert = encode_base64(x509_get_certificate_string(cert_ref));
|
|
}
|