policy/protocols/ssl/known-certs.bro

Known

Log information about certificates while attempting to avoid duplicate logging.

Namespace:Known Imports:base/files/x509, base/protocols/ssl, base/utils/directions-and-hosts.bro Source File:/scripts/policy/protocols/ssl/known-certs.bro

Summary

Options

Known::cert_tracking: Host &redef

The certificates whose existence should be logged and tracked.

State Variables

Known::certs: set &create_expire = 1.0 day &synchronized &redef

The set of all known certificates to store for preventing duplicate logging.

Types

Known::CertsInfo: record

Redefinitions

Log::ID: enum

Events

Known::log_known_certs: event

Event that can be handled to access the loggable record as it is sent on to the logging framework.

Detailed Interface

Options

Known::cert_tracking

Type:Host Attributes:&redef Default:ALL_HOSTS

The certificates whose existence should be logged and tracked. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.

State Variables

Known::certs

Type:set [addr, string] Attributes:&create_expire = 1.0 day &synchronized &redef Default:{}

The set of all known certificates to store for preventing duplicate logging. It can also be used from other scripts to inspect if a certificate has been seen in use. The string value in the set is for storing the DER formatted certificate’ SHA1 hash.

Types

Known::CertsInfo

Type:

record

ts: time &log

The timestamp when the certificate was detected.

host: addr &log

The address that offered the certificate.

port_num: port &log &optional

If the certificate was handed out by a server, this is the port that the server was listening on.

subject: string &log &optional

Certificate subject.

issuer_subject: string &log &optional

Certificate issuer subject.

serial: string &log &optional

Serial number for the certificate.

Events

Known::log_known_certs

Type:event (rec: Known::CertsInfo)

Event that can be handled to access the loggable record as it is sent on to the logging framework.