/
ssl.go
100 lines (96 loc) · 5.44 KB
/
ssl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package parsetypes
import (
"github.com/activecm/rita/config"
)
type (
// SSL provides a data structure for bro's connection data
SSL struct {
// TimeStamp of this connection
TimeStamp int64 `bson:"ts" bro:"ts" brotype:"time"`
// UID is the Unique Id for this connection (generated by Bro)
UID string `bson:"uid" bro:"uid" brotype:"string"`
// Source is the source address for this connection
Source string `bson:"id_orig_h" bro:"id.orig_h" brotype:"addr"`
// SourcePort is the source port of this connection
SourcePort int `bson:"id_orig_p" bro:"id.orig_p" brotype:"port"`
// Destination is the destination of the connection
Destination string `bson:"id_resp_h" bro:"id.resp_h" brotype:"addr"`
// DestinationPort is the port at the destination host
DestinationPort int `bson:"id_resp_p" bro:"id.resp_p" brotype:"port"`
// VersionNum : Numeric SSL/TLS version that the server chose
VersionNum int `bson:"version_num" bro:"version_num" brotype:"count"`
// Version : SSL/TLS version that the server chose
Version string `bson:"version" bro:"version" brotype:"string"`
// Cipher : SSL/TLS cipher suite that the server chose
Cipher string `bson:"cipher" bro:"cipher" brotype:"string"`
// Curve : Elliptic curve the server chose when using ECDH/ECDHE
Curve string `bson:"curve" bro:"curve" brotype:"string"`
// ServerName : Value of the Server Name Indicator SSL/TLS extension.
// It indicates the server name that the client was requesting.
ServerName string `bson:"server_name" bro:"server_name" brotype:"string"`
// SessionID : Session ID offered by the client for session resumption.
// Not used for logging.
SessionID string `bson:"session_id" bro:"session_id" brotype:"string"`
// Resumed : Flag to indicate if the session was resumed reusing the key
// material exchanged in an earlier connection
Resumed bool `bson:"resumed" bro:"resumed" brotype:"bool"`
// ClientTicketEmptySessionSeen : Flag to indicate if we saw a non-empty
// session ticket being sent by the client using an empty session ID.
// This value is used to determine if a session is being resumed.
// It’s not logged. Note: may not be present in older bro versions.
ClientTicketEmptySessionSeen bool `bson:"client_ticket_empty_session_seen" bro:"client_ticket_empty_session_seen" brotype:"bool"`
// ClientKeyExchangeSeen :Flag to indicate if we saw a client key exchange
// message sent by the client. This value is used to determine if a session
// is being resumed. It’s not logged.
// Note: may not be present in older bro versions.
ClientKeyExchangeSeen bool `bson:"client_key_exchange_seen" bro:"client_key_exchange_seen" brotype:"bool"`
// ServerAppData : Count to track if the server already sent an application
// data packet for TLS 1.3. Used to track when a session was established
// Note: may not be present in older bro versions.
ServerAppData int `bson:"server_appdata" bro:"server_appdata" brotype:"count"`
// ClientAppData : Flag to track if the client already sent an application
// data packet for TLS 1.3. Used to track when a session was established
// Note: may not be present in older bro versions.
ClientAppData bool `bson:"client_appdata" bro:"client_appdata" brotype:"bool"`
// LastAlert : Last alert that was seen during the connection.
LastAlert string `bson:"last_alert" bro:"last_alert" brotype:"string"`
// NextProtocol : Next protocol the server chose using the application layer
// next protocol extension, if present.
NextProtocol string `bson:"next_protocol" bro:"next_protocol" brotype:"string"`
// AnalyzerID : The analyzer ID used for the analyzer instance attached to
// each connection. It is not used for logging since it’s a meaningless
// arbitrary number. Note: may not be present in older bro versions.
AnalyzerID int `bson:"analyzer_id" bro:"analyzer_id" brotype:"count"`
// Established : Flag to indicate if this ssl session has been established
// successfully, or if it was aborted during the handshake
Established bool `bson:"established" bro:"established" brotype:"bool"`
// Logged : Flag to indicate if this record already has been logged, to
// prevent duplicates. Note: may not be present in older bro versions.
Logged bool `bson:"logged" bro:"logged" brotype:"bool"`
// CertChainFuids
CertChainFuids []string `bson:"cert_chain" bro:"cert_chain" brotype:"vector[string]"`
// ClientCertChainFuids
ClientCertChainFuids []string `bson:"client_cert_chain_fuids" bro:"client_cert_chain_fuids" brotype:"vector[string]"`
// Subject
Subject string `bson:"subject" bro:"subject" brotype:"string"`
// Issuer
Issuer string `bson:"issuer" bro:"issuer" brotype:"string"`
// ClientSubject
ClientSubject string `bson:"client_subject" bro:"client_subject" brotype:"string"`
// ClientIssuer
ClientIssuer string `bson:"client_issuer" bro:"client_issuer" brotype:"string"`
// ValidationStatus
ValidationStatus string `bson:"validation_status" bro:"validation_status" brotype:"string"`
// ValidationCode : Numeric SSL/TLS version that the server chose
ValidationCode int `bson:"validation_code" bro:"validation_code" brotype:"int"`
}
)
//TargetCollection returns the mongo collection this entry should be inserted
//into
func (in *SSL) TargetCollection(config *config.StructureTableCfg) string {
return config.SSLTable
}
//Indices gives MongoDB indices that should be used with the collection
func (in *SSL) Indices() []string {
return []string{"$hashed:id_orig_h", "$hashed:id_resp_h"}
}