Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-layer-ssl: Validity dates from TLS certificates (v17) #2280

Closed
wants to merge 12 commits into from
Closed

app-layer-ssl: Validity dates from TLS certificates (v17) #2280

wants to merge 12 commits into from

Conversation

thus
Copy link
Contributor

@thus thus commented Sep 25, 2016

Get validity dates (notBefore and notAfter) from TLS certificates.

New detection keywords (tls_cert_notbefore and tls_cert_notafter), added validity dates to extended JSON log and extended TLS log output, and new lua functions TlsGetCertNotBefore() and TlsGetCertNotAfter().

Updates:

  • Try to omit OpenBSD 5.4 bug that is causing trouble
  • Don't use strptime when timestamp is epoch, since OpenBSD and Cygwin strptime don't support %s.

This PR fixes the following issue:

Prscript:

@thus
util-decode-der: decode GeneralizedTime
8176842 
Decode ASN.1 element type GeneralizedTime in DER-encoded
structures.
@thus
util-time: add function to convert tm to time_t
ada3307 
Add function SCMkTimeUtc to convert broken-down time to Unix epoch in UTC.
@thus
app-layer-ssl: add validity dates from certificate
c2ae68b 
Parsing of certificate validity dates to get notBefore and notAfter
fields.
@thus
util-time: add function to parse a date string based on patterns
ff08c12 
Add function SCStringPatternToTime to parse a date string based on an
array of pattern strings.
@thus
detect: add tls_cert_notbefore and tls_cert_notafter keywords
ae644b0 
Detection plugin for TLS certificate fields notBefore and notAfter.

Supports equal to, less than, greater than, and range operations
for both keywords. Dates can be represented as either ISO 8601 or
epoch (Unix time).

Examples:
alert tls [...] tls_cert_notafter:1445852105; [...]
alert tls [...] tls_cert_notbefore:<2015-10-22T23:59:59; [...]
alert tls [...] tls_cert_notbefore:>2015-10-22; [...]
alert tls [...] tls_cert_notafter:2000-10-22<>2020-05-15; [...]
@thus
util-time: add function to create a UTC time string
9c0bd89 
Add function CreateUtcIsoTimeString to create a UTC time string.
@thus
output-json-tls: add notBefore and notAfter fields to extended output
21bbc95 
Add notBefore and notAfter fields from TLS certificate to extended JSON
output.
@thus
log-tls: add notBefore and notAfter fields to extended output
fdfc4d4 
Add notBefore and NotAfter fields from TLS certificate to extended tls
log output.
@thus
util-lua: add (wrapper) function to push integer to lua scripts
fa916d4
@thus
lua: add lua functions for certificate validity dates
31de2dd 
Add functions TlsGetCertNotBefore and TLSGetCertNotAfter to get notBefore
and notAfter fields from TLS certificate in lua scripts.
@thus
detect-dns: move DetectEngineInspectGenericList to detect-engine.c
61330a4 
Move DetectEngineInspectGenericList from detect-engine-dns.c to
detect-engine.c to enable it to be used other places as well.
@thus
detect: add detect engine for tls validity keywords
73306cc 
Add detect engine for tls validity keywords (tls_cert_notbefore and
tls_cert_notafter).
@thus thus mentioned this pull request Sep 25, 2016
Closed
@inliniac inliniac mentioned this pull request Sep 26, 2016
Merged
@inliniac
Copy link
Contributor

Merged through #2284, thanks Mats! Thanks for your patience with the portable time handling :)

@inliniac inliniac closed this Sep 26, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@thus @inliniac