mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
32f1c736f7
- policy/frameworks/intel/seen is the new location for the scripts
that push data into the intel framework for checking.
- The new policy/frameworks/intel/do_notice script adds an example
mechanism for data driven notices.
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
@load base/frameworks/intel
|
|
@load base/protocols/ssl
|
|
@load ./where-locations
|
|
|
|
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
|
|
{
|
|
if ( chain_idx == 0 )
|
|
{
|
|
if ( /emailAddress=/ in cert$subject )
|
|
{
|
|
local email = sub(cert$subject, /^.*emailAddress=/, "");
|
|
email = sub(email, /,.*$/, "");
|
|
Intel::seen([$indicator=email,
|
|
$indicator_type=Intel::EMAIL,
|
|
$conn=c,
|
|
$where=(is_orig ? SSL::IN_CLIENT_CERT : SSL::IN_SERVER_CERT)]);
|
|
}
|
|
|
|
Intel::seen([$indicator=sha1_hash(der_cert),
|
|
$indicator_type=Intel::CERT_HASH,
|
|
$conn=c,
|
|
$where=(is_orig ? SSL::IN_CLIENT_CERT : SSL::IN_SERVER_CERT)]);
|
|
}
|
|
}
|
|
|
|
event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
|
|
{
|
|
if ( is_orig && SSL::extensions[code] == "server_name" &&
|
|
c?$ssl && c$ssl?$server_name )
|
|
Intel::seen([$indicator=c$ssl$server_name,
|
|
$indicator_type=Intel::DOMAIN,
|
|
$conn=c,
|
|
$where=SSL::IN_SERVER_NAME]);
|
|
}
|