[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Change x509 log - now certificates are only logged once per hour. (0d50b8b)
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Mar 13 12:36:40 PDT 2014
On Mar 13, 2014, at 12:54 PM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
> function get_file_handle(c: connection, is_orig: bool): string
> local depth: count;
> if ( is_orig )
> depth = c$ssl$client_depth;
> depth = c$ssl$server_depth;
> return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
> I have no idea if that is “matching” or not - in any case, the above C code does not work in combination with that
> file handle generation. Thinking about it, it makes sense - the EndOfFile function probably calls get_file_handle again for
> that connection, gets a different file handle back (because the counters are increased), and hence removal will not work.
Yes, that looks like what would happen.
> …even after reading through the how to, I was not quite clear on the fact, that get_file_handle
> has to always return the same value for the same file. Which is impossible to accomplish in cases
> like this, because, several certificates are sent over a connection, and you do not get any further information
> with the get_file_handle call. So - you more or less have to return differing IDs for everything.
Instead of incrementing the depth in get_file_handle, it could increment it in a x509_certificate handler? That way the handle remains the same between the DataIn/EndOfFile pairs, but the next DataIn/EndOfFile will get a new file handle due to the incremented depth.
Not suggesting you change it from using the pre-computed file id method you currently have, just challenging the impossibility claim :). And I do agree the whole script-layer generation of file handle string is difficult to understand/use, but I don’t have any ideas at the moment for helping that...
> Perhaps the EndOfFile functions should get some warning that details in which circumstances you can use
> them (probably - static per-connection ID).
I don’t think there’s any limitation/circumstances unique to EndOfFile that differs from the other FAF APIs.
> Also - it might be nice to throw some kind of reporter warning when EndOfFile is called for a file ID that
> does not exists.
> If I understood everything right, that should never happen during normal operations, should it?
It could be that the file timed out and was already cleaned up before a protocol analyzer called EndOfFile. I think it can also be the case that a protocol analyzer only ever calls EndOfFile because a connection got closed/reset before any file data was seen.
More information about the bro-dev