[Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging
Bro Tracker
bro at tracker.bro-ids.org
Mon Dec 24 23:14:51 PST 2012
#928: Incorporate ICSI certificate notary into SSL logging
-------------------------------+------------------------
Reporter: matthias | Owner:
Type: Test Case Missing | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
-------------------------------+------------------------
This commit (i) adds support for delayed logging for SSL records, and (ii)
provides a new script notary.bro that interacts with the ICSI certificate
notary.
The delayed logging implementation takes the idea of delaying notices one
step further: it logs records in the order as they would normally occur by
buffering them until a specified maximum timeout (by default 15 seconds).
A user can delay a record by adding an opaque identifier, and is
responsible to remove the same identifier later to "undelay" the record,
allowing it to be flushed.
The notary script comes as a client application to this new interface. For
each leaf certificate in a chain sent by a server, the script computes the
SHA1 hash and queries the notary. As soon as the reply arrives, the script
enhances the SSL log record with the details from the notary response and
undelays the record. The notary script also caches DNS replies for an hour
after creation.
Due to the changing state of the notary, it is difficult to write a test
case for this script. Thus I'll just file it as a merge request, and would
appreciate if folks (in particular Seth :-) could have a look at it.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/928>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list