module X509_OPTIMIZE;
@load frameworks/files/deprecated-txhosts-rxhosts-connuids
export {
    const serials_to_shunt: set[string] = {} &redef; 
    const issuer_to_shunt: set[string] = {} &redef;   
    const subject_to_shunt: set[string] = {} &redef;   
}

redef X509_OPTIMIZE::serials_to_shunt += { "04D997FC64A51EC1C9712ADD7A0C79F7", # san_dns: www.capitalone.co.uk, capitalone.co.uk
                                           "56097F2F", # san_dns:NGMLX511
                                           "560984EE", # san_dns:datapower-prod
                                           "56098312", # san_dns:NGMLX512
                                           "8D1C137CB63FC5C3", # certificate_subject:emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US
                                           "E5B2FCC16997F546", # certificate_subject:emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US
                                           "37B1A9CE", # certificate_subject:O=Capital One,C=US
                                           "067F94578587E8AC77DEB253325BBC998B560D", # certificate_subject: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
                                           "A70E4A4C3482B77F", # certificate_subject:CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
                                           "067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6", # certificate_subject:CN=Amazon Root CA 1,O=Amazon,C=US'
                                           "0546FE1823F7E1941DA39FCE14C46173", # certificate_subject:CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US,
                                           "0BF8493C2498A06CFDF745FB77452A7B", # certificate_subject:CN=*.newrelic.com,O=New Relic\, Inc.,L=San Francisco,ST=California,C=US,
                                           "01E3A9301CFC7206383F9A531D", # certificate_subject:CN=Google Internet Authority G3,O=Google Trust Services,C=US,
                                           "494DD21C", # certificate_subject:CN=iris-prod.kdc.capitalone.com,OU=Web Servers,O=Capital One,C=US
                                           "58C59C1D", # certificate_subject:CN=capionegw.kdc.capitalone.com,OU=Web Servers,O=Capital One,C=US
                                           "FF72ED" # certificate_subject:emailAddress=certadmin@netskope.com,CN=ca.capitalone.goskope.com,OU=6b52d2a5fd058459ca64b9cc4c82d697,O=Capital One Financial,L=McLean,ST=VA,C=US
                                         };

redef X509_OPTIMIZE::issuer_to_shunt += { "emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US" };

redef record X509::Info += {
    ## Connection UIDs associated with the X509 file transfer
    id: conn_id &log &optional;
};

event file_state_remove(f: fa_file) &priority=10
{
    if(!f$info?$x509) {
        return;
    }   
    
    if(f$info$x509?$certificate && f$info$x509$certificate?$serial) {
        if(f$info$x509$certificate$serial in X509_OPTIMIZE::serials_to_shunt) {
            delete f$info$x509;
            return;
        }
    }
    
    if(f$info$x509?$certificate && f$info$x509$certificate?$issuer) {
        if(f$info$x509$certificate$issuer in X509_OPTIMIZE::issuer_to_shunt) {
            delete f$info$x509;
            return;
        }
    }

    if(f$info$x509?$certificate && f$info$x509$certificate?$subject) {
        if(f$info$x509$certificate$subject in X509_OPTIMIZE::subject_to_shunt) {
            delete f$info$x509;
            return;
        }
    }

    f$info$x509$id = f$info$id;
}