mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 09:08:20 +00:00
110d9fbd6a
work fine now. Todo: * update all baselines * fix the circular reference to the fa_file structure I introduced :) Sadly this does not seem to be entirely straightforward. addresses BIT-953, BIT-760
16 lines
428 B
Text
16 lines
428 B
Text
@load base/frameworks/intel
|
|
@load base/files/x509
|
|
@load ./where-locations
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
|
|
{
|
|
if ( /emailAddress=/ in cert$subject )
|
|
{
|
|
local email = sub(cert$subject, /^.*emailAddress=/, "");
|
|
email = sub(email, /,.*$/, "");
|
|
Intel::seen([$indicator=email,
|
|
$indicator_type=Intel::EMAIL,
|
|
$f=f,
|
|
$where=X509::IN_CERT]);
|
|
}
|
|
}
|