Add script for CVE-2020-0601

salt/zeek/policy/cve-2020-0601/COPYING

@@ -0,0 +1,27 @@
+Copyright (c) 2019, Johanna Amann. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
+

salt/zeek/policy/cve-2020-0601/__load__.zeek

@@ -0,0 +1 @@
+@load ./cve-2020-0601

salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek

@@ -0,0 +1,41 @@
+module CVE_2020_0601;
+
+export {
+        ## set to yes, to log suspicious certificates.
+        option log_certs = F;
+
+        ## The logging stream identifier.
+        redef enum Log::ID += { LOG };
+
+        ## The record type which contains column fields of the certificate log.
+        type Info: record {
+                ## Timestamp when this record is written.
+                ts:          time   &log;
+                ## File-id of the cerfificate
+                fuid:        string &log;
+                ## Certificate encoded as base64
+                certificate: string &log;
+        };
+
+        redef enum Notice::Type += {
+                ## An ECC certificate with an unknown curve was encountered
+                Unknown_X509_Curve
+        };
+}
+
+event zeek_init()
+        {
+        Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]);
+        }
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+        {
+        if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve )
+                {
+                NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]);
+
+                if ( log_certs )
+                        Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F))));
+                }
+        }
+