Skip to content

Commit

Permalink
Add a tag indicating session has a certificate-authority cert (arkime…
Browse files Browse the repository at this point in the history 
…#2388)

* Add a tag indicating session has certificate-authority cert
  • Loading branch information
@mcgillowen
mcgillowen authored Aug 31, 2023
1 parent d362eb8 commit f8a88fa
Show file tree
Hide file tree
Showing 18 changed files with 56 additions and 9 deletions.
4 changes: 4 additions & 0 deletions capture/parsers/tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,10 @@ LOCAL void tls_process_server_certificate(MolochSession_t *session, const unsign
moloch_session_add_tag(session, "cert:self-signed");
}

if (certs->isCA) {
moloch_session_add_tag(session, "cert:certificate-authority");
}


if (!moloch_field_certsinfo_add(certsField, session, certs, clen*2)) {
moloch_field_certsinfo_free(certs);
Expand Down
1 change: 1 addition & 0 deletions tests/api-multiunique.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ eq_or_diff($txt,
"byhost2, 7
byip1, 1
byip2, 1
cert:certificate-authority, 3
domainwise, 7
dstip, 4
hosttaggertest1, 7
Expand Down
1 change: 1 addition & 0 deletions tests/api-unique.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ eq_or_diff($txt,
"byhost2, 7
byip1, 1
byip2, 1
cert:certificate-authority, 3
domainwise, 7
dstip, 4
hosttaggertest1, 7
Expand Down
4 changes: 4 additions & 0 deletions tests/pcap/https-connect.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "434f4e4e45435420",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 9,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/https-generalizedtime.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,10 +173,11 @@
"srcOuiCnt" : 1,
"srcPayload8" : "1603010200010001",
"tags" : [
"cert:certificate-authority",
"dstip",
"srcip"
],
"tagsCnt" : 2,
"tagsCnt" : 3,
"tcpflags" : {
"ack" : 2,
"dstZero" : 0,
Expand Down
4 changes: 4 additions & 0 deletions tests/pcap/https2-301-get.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "8080010301005700",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 8,
"dstZero" : 0,
Expand Down
4 changes: 4 additions & 0 deletions tests/pcap/https3-301-get.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "1603010072010000",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 8,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-ssl3.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,9 +242,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "1603000087010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-tls1-tls1_2.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "1603010102010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-tls1.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,9 +242,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "16030100a4010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-tls1_1.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "16030100a4010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-tls1_2-tls1.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,9 +240,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "1603010102010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 8,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/openssl-tls1_2.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,10 @@
"srcOuiCnt" : 1,
"srcPayload8" : "1603010102010000",
"tags" : [
"cert:certificate-authority",
"srcip"
],
"tagsCnt" : 1,
"tagsCnt" : 2,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
4 changes: 4 additions & 0 deletions tests/pcap/pppoe.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "804c010300003300",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"srcRIR" : "ARIN",
"tcpflags" : {
"ack" : 4,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/smtp-starttls.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,10 +253,11 @@
"srcOuiCnt" : 1,
"srcPayload8" : "45484c4f20787878",
"tags" : [
"cert:certificate-authority",
"smtp:starttls",
"srcip"
],
"tagsCnt" : 2,
"tagsCnt" : 3,
"tcpflags" : {
"ack" : 12,
"dstZero" : 0,
Expand Down
12 changes: 12 additions & 0 deletions tests/pcap/socks-https-example.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "040101bb5db8d877",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 15,
"dstZero" : 0,
Expand Down Expand Up @@ -741,6 +745,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "040101bb00000001",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 15,
"dstZero" : 0,
Expand Down Expand Up @@ -1143,6 +1151,10 @@
],
"srcOuiCnt" : 1,
"srcPayload8" : "0502000105010001",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 16,
"dstZero" : 0,
Expand Down
3 changes: 2 additions & 1 deletion tests/pcap/socks4-https.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,11 +222,12 @@
"srcPayload8" : "040101bb00000001",
"tags" : [
"acked-unseen-segment-dst",
"cert:certificate-authority",
"dstip",
"out-of-order-dst",
"srcip"
],
"tagsCnt" : 4,
"tagsCnt" : 5,
"tcpflags" : {
"ack" : 10,
"dstZero" : 0,
Expand Down
4 changes: 4 additions & 0 deletions tests/pcap/tls-alpn-h2.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@
"port" : 64034
},
"srcPayload8" : "16030100e8010000",
"tags" : [
"cert:certificate-authority"
],
"tagsCnt" : 1,
"tcpflags" : {
"ack" : 5,
"dstZero" : 0,
Expand Down

0 comments on commit f8a88fa

Please sign in to comment.