Skip to content

Commit

Permalink
Merge pull request #1453 from p-l-/fix-cert-searches
Browse files Browse the repository at this point in the history 
Support cacert filters (web), support negative cert searches
  • Loading branch information
@p-l-
p-l- committed Nov 1, 2022
2 parents 8d6f05a + c2f786c commit db23fca
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 60 deletions.
3 changes: 2 additions & 1 deletion ivre/db/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1795,6 +1795,7 @@ def searchcert(
pksha1=None,
pksha256=None,
cacert=False,
neg=False,
):
# This method exists for backends with no specific
# implementation. It has the drawback of not being capable of
Expand Down Expand Up @@ -1827,7 +1828,7 @@ def searchcert(
continue
values[key] = hashval.lower()
return cls.searchscript(
name="ssl-cacert" if cacert else "ssl-cert", values=values
name="ssl-cacert" if cacert else "ssl-cert", values=values, neg=neg
)

@classmethod
Expand Down
43 changes: 28 additions & 15 deletions ivre/db/elastic.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1562,6 +1562,7 @@ def searchcert(
pksha1=None,
pksha256=None,
cacert=False,
neg=False,
):
req = []
if keytype is not None:
Expand Down Expand Up @@ -1624,34 +1625,46 @@ def searchcert(
req.append(Q("terms", **{key: [val.lower() for val in hashval]}))
continue
req.append(Q("match", **{key: hashval.lower()}))
if not req:
return Q(
if req:
res = Q(
"nested",
path="ports",
query=Q(
"nested",
path="ports.scripts",
query=Q(
"match",
**{"ports.scripts.id": "ssl-cacert" if cacert else "ssl-cert"},
query=cls.flt_and(
Q(
"match",
**{
"ports.scripts.id": "ssl-cacert"
if cacert
else "ssl-cert"
},
),
Q(
"nested",
path="ports.scripts.ssl-cert",
query=cls.flt_and(*req),
),
),
),
)
return Q(
"nested",
path="ports",
query=Q(
else:
res = Q(
"nested",
path="ports.scripts",
query=cls.flt_and(
Q(
path="ports",
query=Q(
"nested",
path="ports.scripts",
query=Q(
"match",
**{"ports.scripts.id": "ssl-cacert" if cacert else "ssl-cert"},
),
Q("nested", path="ports.scripts.ssl-cert", query=cls.flt_and(*req)),
),
),
)
)
if neg:
return ~res
return res

@classmethod
def searchhassh(cls, value_or_hash=None, server=None):
Expand Down
2 changes: 2 additions & 0 deletions ivre/db/mongo.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2931,6 +2931,7 @@ def searchcert(
pksha1=None,
pksha256=None,
cacert=False,
neg=False,
):
return cls.searchscript(
name="ssl-cacert" if cacert else "ssl-cert",
Expand All @@ -2946,6 +2947,7 @@ def searchcert(
pksha1=pksha1,
pksha256=pksha256,
),
neg=neg,
)

def searchhttptitle(self, title):
Expand Down
6 changes: 5 additions & 1 deletion ivre/db/tiny.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1046,9 +1046,10 @@ def searchcert(
pksha1=None,
pksha256=None,
cacert=False,
neg=False,
):
q = Query()
return q.ports.any(
res = q.ports.any(
q.scripts.any(
(q.id == ("ssl-cacert" if cacert else "ssl-cert"))
& getattr(q, "ssl-cert").any(
Expand All @@ -1068,6 +1069,9 @@ def searchcert(
)
)
)
if neg:
return ~res
return res

@classmethod
def searchhttptitle(cls, title):
Expand Down
56 changes: 31 additions & 25 deletions ivre/web/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -482,33 +482,39 @@ def add_unused(neg, param, value):
flt = dbase.flt_and(flt, dbase.searchsshkey(**{subfield: value}))
else:
add_unused(neg, param, value)
elif not neg and param == "cert":
flt = dbase.flt_and(flt, dbase.searchcert())
elif param.startswith("cert."):
elif param == "cert":
flt = dbase.flt_and(flt, dbase.searchcert(neg=neg))
elif param == "cacert":
flt = dbase.flt_and(flt, dbase.searchcert(neg=neg, cacert=True))
elif param.startswith("cert.") or param.startswith("cacert."):
cacert = param.split(".", 1)[0] == "cacert"
subfield = param.split(".", 1)[1]
if subfield == "self_signed" and value is None:
flt = dbase.flt_and(flt, dbase.searchcert(self_signed=not neg))
elif not neg:
if subfield in {"md5", "sha1", "sha256", "subject", "issuer"}:
flt = dbase.flt_and(
flt,
dbase.searchcert(
**{
subfield: utils.str2regexp(value),
}
),
)
elif subfield in {"pubkey.md5", "pubkey.sha1", "pubkey.sha256"}:
flt = dbase.flt_and(
flt,
dbase.searchcert(
**{
"pk%s" % subfield[7:]: utils.str2regexp(value),
}
),
)
else:
add_unused(neg, param, value)
flt = dbase.flt_and(
flt, dbase.searchcert(self_signed=not neg, cacert=cacert)
)
elif subfield in {"md5", "sha1", "sha256", "subject", "issuer"}:
flt = dbase.flt_and(
flt,
dbase.searchcert(
cacert=cacert,
neg=neg,
**{
subfield: utils.str2regexp(value),
},
),
)
elif subfield in {"pubkey.md5", "pubkey.sha1", "pubkey.sha256"}:
flt = dbase.flt_and(
flt,
dbase.searchcert(
cacert=cacert,
neg=neg,
**{
"pk%s" % subfield[7:]: utils.str2regexp(value),
},
),
)
else:
add_unused(neg, param, value)
elif not neg and param == "httphdr":
Expand Down
1 change: 1 addition & 0 deletions pkg/codespell_ignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ tha
nin
sur
ro
donot
36 changes: 18 additions & 18 deletions web/static/ivre/content.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,83 +362,83 @@ var HELP_FILTERS = {
"content": "Look for Windows XP machines with TCP/445 port open.",
},
"cert.keytype:": {
"title": "cert.keytype:[exact value or /regexp/]",
"title": "<b>(!)</b>cert.keytype:[exact value or /regexp/]",
"content": "Look for a particular certificate public key type.",
},
"cert.self_signed": {
"title": "<b>(!)</b>cert.self_signed",
"content": "Look for self signed certificates.",
},
"cert.subject:": {
"title": "cert.subject:[exact value or /regexp/]",
"title": "<b>(!)</b>cert.subject:[exact value or /regexp/]",
"content": "Look for a particular certificate subject.",
},
"cert.issuer:": {
"title": "cert.subject:[exact value or /regexp/]",
"title": "<b>(!)</b>cert.subject:[exact value or /regexp/]",
"content": "Look for a particular certificate issuer.",
},
"cert.md5:": {
"title": "cert.md5:[MD5 hash or /MD5 hash regexp/]",
"title": "<b>(!)</b>cert.md5:[MD5 hash or /MD5 hash regexp/]",
"content": "Look for a particular certificate, based on the MD5 hash.",
},
"cert.sha1:": {
"title": "cert.sha1:[SHA1 hash or /SHA1 hash regexp/]",
"title": "<b>(!)</b>cert.sha1:[SHA1 hash or /SHA1 hash regexp/]",
"content": "Look for a particular certificate, based on the SHA1 hash.",
},
"cert.sha256:": {
"title": "cert.sha256:[SHA256 hash or /SHA256 hash regexp/]",
"title": "<b>(!)</b>cert.sha256:[SHA256 hash or /SHA256 hash regexp/]",
"content": "Look for a particular certificate, based on the SHA256 hash.",
},
"cert.pkmd5:": {
"title": "cert.pkmd5:[MD5 hash or /MD5 hash regexp/]",
"title": "<b>(!)</b>cert.pkmd5:[MD5 hash or /MD5 hash regexp/]",
"content": "Look for a particular certificate public key, based on the MD5 hash.",
},
"cert.pksha1:": {
"title": "cert.pksha1:[SHA1 hash or /SHA1 hash regexp/]",
"title": "<b>(!)</b>cert.pksha1:[SHA1 hash or /SHA1 hash regexp/]",
"content": "Look for a particular certificate public key, based on the SHA1 hash.",
},
"cert.pksha256:": {
"title": "cert.pksha256:[SHA256 hash or /SHA256 hash regexp/]",
"title": "<b>(!)</b>cert.pksha256:[SHA256 hash or /SHA256 hash regexp/]",
"content": "Look for a particular certificate public key, based on the SHA256 hash.",
},
"cacert.keytype:": {
"title": "cacert.keytype:[exact value or /regexp/]",
"title": "<b>(!)</b>cacert.keytype:[exact value or /regexp/]",
"content": "Look for a particular CA certificate public key type.",
},
"cacert.self_signed": {
"title": "<b>(!)</b>cacert.self_signed",
"content": "Look for self signed CA certificates.",
},
"cacert.subject:": {
"title": "cacert.subject:[exact value or /regexp/]",
"title": "<b>(!)</b>cacert.subject:[exact value or /regexp/]",
"content": "Look for a particular CA certificate subject.",
},
"cacert.issuer:": {
"title": "cacert.subject:[exact value or /regexp/]",
"title": "<b>(!)</b>cacert.subject:[exact value or /regexp/]",
"content": "Look for a particular CA certificate issuer.",
},
"cacert.md5:": {
"title": "cacert.md5:[MD5 hash or /MD5 hash regexp/]",
"title": "<b>(!)</b>cacert.md5:[MD5 hash or /MD5 hash regexp/]",
"content": "Look for a particular CA certificate, based on the MD5 hash.",
},
"cacert.sha1:": {
"title": "cacert.sha1:[SHA1 hash or /SHA1 hash regexp/]",
"title": "<b>(!)</b>cacert.sha1:[SHA1 hash or /SHA1 hash regexp/]",
"content": "Look for a particular CA certificate, based on the SHA1 hash.",
},
"cacert.sha256:": {
"title": "cacert.sha256:[SHA256 hash or /SHA256 hash regexp/]",
"title": "<b>(!)</b>cacert.sha256:[SHA256 hash or /SHA256 hash regexp/]",
"content": "Look for a particular CA certificate, based on the SHA256 hash.",
},
"cacert.pkmd5:": {
"title": "cacert.pkmd5:[MD5 hash or /MD5 hash regexp/]",
"title": "<b>(!)</b>cacert.pkmd5:[MD5 hash or /MD5 hash regexp/]",
"content": "Look for a particular CA certificate public key, based on the MD5 hash.",
},
"cacert.pksha1:": {
"title": "cacert.pksha1:[SHA1 hash or /SHA1 hash regexp/]",
"title": "<b>(!)</b>cacert.pksha1:[SHA1 hash or /SHA1 hash regexp/]",
"content": "Look for a particular CA certificate public key, based on the SHA1 hash.",
},
"cacert.pksha256:": {
"title": "cacert.pksha256:[SHA256 hash or /SHA256 hash regexp/]",
"title": "<b>(!)</b>cacert.pksha256:[SHA256 hash or /SHA256 hash regexp/]",
"content": "Look for a particular CA certificate public key, based on the SHA256 hash.",
},
"ssl-ja3-client": {
Expand Down

0 comments on commit db23fca

Please sign in to comment.