Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
Johanna Amann 64ab1bbd47 Enable OCSP logging by default. 
In the past I thought that this is not super interesting. However, it
turns out that this can actually contain a slew of interresting
information - like operating systems querying for the revocation of
software signing certificates, e.g.

So - let's just enable this as a default log for the future.
2021-06-29 09:26:29 +01:00

41 lines
1.5 KiB
Text
Raw Blame History

# This tests a normal OCSP request sent through HTTP GET
# @TEST-EXEC: zeek -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count)
{
print "request", version, "";
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}
Reference in a new issue View git blame Copy permalink