base/bif/plugins/Bro_X509.ocsp_events.bif.bro¶
-
GLOBAL¶
| Namespace: | GLOBAL |
|---|---|
| Source File: | /scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro |
Summary¶
Events¶
ocsp_extension: event |
This event is raised when an OCSP extension is encountered in an OCSP response. |
ocsp_request: event |
Event that is raised when encountering an OCSP request, e.g. |
ocsp_request_certificate: event |
Event that is raised when encountering an OCSP request for a certificate, e.g. |
ocsp_response_bytes: event |
This event is raised when encountering an OCSP response that contains response information. |
ocsp_response_certificate: event |
This event is raised for each SingleResponse contained in an OCSP response. |
ocsp_response_status: event |
This event is raised when encountering an OCSP reply, e.g. |
Detailed Interface¶
Events¶
-
ocsp_extension¶ Type: event(f:fa_file, ext:X509::Extension, global_resp:bool)This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.
F: The file. Ext: The parsed extension (same format as X.509 extensions). Global_resp: T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse. See also:
ocsp_request,ocsp_request_certificate,ocsp_response_status,ocsp_response_bytes,ocsp_response_certificate,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_request¶ Type: event(f:fa_file, version:count)Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.
This event is raised exactly once for each OCSP Request.
F: The file. Req: version: the version of the OCSP request. Typically 0 (Version 1). See also:
ocsp_request_certificate,ocsp_response_status,ocsp_response_bytes,ocsp_response_certificate,ocsp_extension,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_request_certificate¶ Type: event(f:fa_file, hashAlgorithm:string, issuerNameHash:string, issuerKeyHash:string, serialNumber:string)Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.
Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.
F: The file. HashAlgorithm: The hash algorithm used for the issuerKeyHash. IssuerKeyHash: Hash of the issuers public key. SerialNumber: Serial number of the certificate for which the status is requested. See also:
ocsp_request,ocsp_response_status,ocsp_response_bytes,ocsp_response_certificate,ocsp_extension,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_bytes¶ Type: event(f:fa_file, resp_ref:opaqueof ocsp_resp, status:string, version:count, responderId:string, producedAt:time, signatureAlgorithm:string, certs:x509_opaque_vector)This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.
F: The file. Req_ref: An opaque pointer to the underlying OpenSSL data structure of the OCSP response. Status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). Version: Version of the OCSP response (typically - for version 1). ResponderId: The id of the OCSP responder; either a public key hash or a distinguished name. ProducedAt: Time at which the reply was produced. SignatureAlgorithm: Algorithm used for the OCSP signature. Certs: Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply. See also:
ocsp_request,ocsp_request_certificate,ocsp_response_status,ocsp_response_certificate,ocsp_extension,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_certificate¶ Type: event(f:fa_file, hashAlgorithm:string, issuerNameHash:string, issuerKeyHash:string, serialNumber:string, certStatus:string, revokeTime:time, revokeReason:string, thisUpdate:time, nextUpdate:time)This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.
F: The file. HashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash. IssuerNameHash: Hash of the issuer’s distinguished name. IssuerKeyHash: Hash of the issuer’s public key. SerialNumber: Serial number of the affected certificate. CertStatus: Status of the certificate. RevokeTime: Time the certificate was revoked, 0 if not revoked. RevokeTeason: Reason certificate was revoked; empty string if not revoked or not specified. ThisUpdate: Time this response was generated. NextUpdate: Time next response will be ready; 0 if not supploed. See also:
ocsp_request,ocsp_request_certificate,ocsp_response_status,ocsp_response_bytes,ocsp_extension,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_status¶ Type: event(f:fa_file, status:string)This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.
This event is raised exactly once for each OCSP reply.
F: The file. Status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). See also:
ocsp_request,ocsp_request_certificate,ocsp_response_bytes,ocsp_response_certificate,ocsp_extension,x509_ocsp_ext_signed_certificate_timestamp
