mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
113 lines
3.1 KiB
Text
113 lines
3.1 KiB
Text
#! Log ocsp stapling information
|
|
|
|
module OCSP_STAPLING;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
type Info: record {
|
|
## timestamp
|
|
ts: time &log;
|
|
|
|
## connection id
|
|
cid: conn_id &log;
|
|
|
|
## connection uid
|
|
cuid: string &log;
|
|
|
|
## size of this response
|
|
size: count &log;
|
|
|
|
## responseStatus
|
|
responseStatus: string &log;
|
|
|
|
## responseType
|
|
responseType: string &log;
|
|
|
|
## version
|
|
version: count &log;
|
|
|
|
## responderID
|
|
responderID: string &log;
|
|
|
|
## producedAt
|
|
producedAt: string &log;
|
|
|
|
## NOTE: the following are specific to one cert id
|
|
## the above are for one message which may contain
|
|
## several responses
|
|
|
|
## index
|
|
idx: count &log &optional;
|
|
|
|
## cert id
|
|
cert_id: OCSP::CertId &log &optional;
|
|
|
|
## certStatus (this is the response to look at)
|
|
certStatus: string &log &optional;
|
|
|
|
## thisUpdate
|
|
thisUpdate: string &log &optional;
|
|
|
|
## nextUpdate
|
|
nextUpdate: string &log &optional;
|
|
};
|
|
}
|
|
|
|
event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
|
|
{
|
|
local resp: OCSP::Response = ocsp_parse_response(response);
|
|
|
|
# TOCHECK: is this right?
|
|
local resp_size: count =|response|;
|
|
|
|
if (resp?$responses)
|
|
{
|
|
local num: count = 0;
|
|
for (x in resp$responses)
|
|
{
|
|
num += 1;
|
|
local single_resp: OCSP::SingleResp = resp$responses[x];
|
|
local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm,
|
|
$issuerNameHash = single_resp$issuerNameHash,
|
|
$issuerKeyHash = single_resp$issuerKeyHash,
|
|
$serialNumber = single_resp$serialNumber];
|
|
|
|
local resp_rec: Info = [$ts = network_time(),
|
|
$cid = c$id,
|
|
$cuid = c$uid,
|
|
$size = resp_size,
|
|
$responseStatus = resp$responseStatus,
|
|
$responseType = resp$responseType,
|
|
$version = resp$version,
|
|
$responderID = resp$responderID,
|
|
$producedAt = resp$producedAt,
|
|
$idx = num,
|
|
$cert_id = cert_id,
|
|
$certStatus = single_resp$certStatus,
|
|
$thisUpdate = single_resp$thisUpdate];
|
|
|
|
if (single_resp?$nextUpdate)
|
|
resp_rec$nextUpdate = single_resp$nextUpdate;
|
|
Log::write(LOG, resp_rec);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
# no response content? this is weird but log it anyway
|
|
local resp_rec_empty: Info = [$ts = network_time(),
|
|
$cid = c$id,
|
|
$cuid = c$uid,
|
|
$size = resp_size,
|
|
$responseStatus = resp$responseStatus,
|
|
$responseType = resp$responseType,
|
|
$version = resp$version,
|
|
$responderID = resp$responderID,
|
|
$producedAt = resp$producedAt];
|
|
Log::write(LOG, resp_rec_empty);
|
|
}
|
|
}
|
|
|
|
event bro_init()
|
|
{
|
|
Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]);
|
|
}
|