mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-07 17:52:46 +01:00
42 lines
1.4 KiB
Plaintext
42 lines
1.4 KiB
Plaintext
module CVE_2020_0601;
|
|
|
|
export {
|
|
## set to yes, to log suspicious certificates.
|
|
option log_certs = F;
|
|
|
|
## The logging stream identifier.
|
|
redef enum Log::ID += { LOG };
|
|
|
|
## The record type which contains column fields of the certificate log.
|
|
type Info: record {
|
|
## Timestamp when this record is written.
|
|
ts: time &log;
|
|
## File-id of the cerfificate
|
|
fuid: string &log;
|
|
## Certificate encoded as base64
|
|
certificate: string &log;
|
|
};
|
|
|
|
redef enum Notice::Type += {
|
|
## An ECC certificate with an unknown curve was encountered
|
|
Unknown_X509_Curve
|
|
};
|
|
}
|
|
|
|
event zeek_init()
|
|
{
|
|
Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]);
|
|
}
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
|
|
{
|
|
if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve )
|
|
{
|
|
NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]);
|
|
|
|
if ( log_certs )
|
|
Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F))));
|
|
}
|
|
}
|
|
|