Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/policy/protocols/ssl/known-certs.bro
Jon Siwek 47500ceef4 Add a test that checks each individual script can be loaded in bare-mode. 
Fixed most @load dependency issues in the process.  The test is still
failing in a "known" way due to hot.conn.bro and scan.bro.

Adressess #545
2011-08-10 15:38:21 -05:00

58 lines
2 KiB
Text
Raw Blame History

@load base/utils/directions-and-hosts
module KnownCerts;
export {
redef enum Log::ID += { KNOWN_CERTS };
type Info: record {
## The timestamp when the certificate was detected.
ts: time &log;
## The address that offered the certificate.
host: addr &log;
## If the certificate was handed out by a server, this is the
## port that the server was listening on.
port_num: port &log &optional;
## Certificate subject.
subject: string &log &optional;
## Certificate issuer subject.
issuer_subject: string &log &optional;
## Serial number for the certificate.
serial: string &log &optional;
};
## The certificates whose existence should be logged and tracked.
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
const asset_tracking = LOCAL_HOSTS &redef;
## The set of all known certificates to store for preventing duplicate
## logging. It can also be used from other scripts to
## inspect if a certificate has been seen in use. The string value
## in the set is for storing the certificate's serial number.
global known_certs: set[addr, string] &create_expire=1day &synchronized &redef;
global log_known_certs: event(rec: Info);
}
event bro_init()
{
Log::create_stream(KNOWN_CERTS, [$columns=Info, $ev=log_known_certs]);
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string)
{
# We aren't tracking client certificates yet.
if ( ! is_server ) return;
# We are also only tracking the primary cert.
if ( chain_idx != 0 ) return;
local host = c$id$resp_h;
if ( [host, cert$serial] !in known_certs && addr_matches_host(host, asset_tracking) )
{
add known_certs[host, cert$serial];
Log::write(KNOWN_CERTS, [$ts=network_time(), $host=host,
$port_num=c$id$resp_p, $subject=cert$subject,
$issuer_subject=cert$issuer,
$serial=cert$serial]);
}
}
Reference in a new issue View git blame Copy permalink