pk/CapOne-Zeek-Docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
CapOne-Zeek-Docker/capitalone/optimizations/reduce_x509.zeek
Patrick Kelley 04da5c1250 Inital
2025-05-28 14:31:31 -04:00

64 lines
3.6 KiB
Plaintext
Raw Permalink Blame History

module X509_OPTIMIZE;
@load frameworks/files/deprecated-txhosts-rxhosts-connuids
export {
const serials_to_shunt: set[string] = {} &redef;
const issuer_to_shunt: set[string] = {} &redef;
const subject_to_shunt: set[string] = {} &redef;
}
redef X509_OPTIMIZE::serials_to_shunt += { "04D997FC64A51EC1C9712ADD7A0C79F7", # san_dns: www.capitalone.co.uk, capitalone.co.uk
"56097F2F", # san_dns:NGMLX511
"560984EE", # san_dns:datapower-prod
"56098312", # san_dns:NGMLX512
"8D1C137CB63FC5C3", # certificate_subject:emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US
"E5B2FCC16997F546", # certificate_subject:emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US
"37B1A9CE", # certificate_subject:O=Capital One,C=US
"067F94578587E8AC77DEB253325BBC998B560D", # certificate_subject: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
"A70E4A4C3482B77F", # certificate_subject:CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
"067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6", # certificate_subject:CN=Amazon Root CA 1,O=Amazon,C=US'
"0546FE1823F7E1941DA39FCE14C46173", # certificate_subject:CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US,
"0BF8493C2498A06CFDF745FB77452A7B", # certificate_subject:CN=*.newrelic.com,O=New Relic\, Inc.,L=San Francisco,ST=California,C=US,
"01E3A9301CFC7206383F9A531D", # certificate_subject:CN=Google Internet Authority G3,O=Google Trust Services,C=US,
"494DD21C", # certificate_subject:CN=iris-prod.kdc.capitalone.com,OU=Web Servers,O=Capital One,C=US
"58C59C1D", # certificate_subject:CN=capionegw.kdc.capitalone.com,OU=Web Servers,O=Capital One,C=US
"FF72ED" # certificate_subject:emailAddress=certadmin@netskope.com,CN=ca.capitalone.goskope.com,OU=6b52d2a5fd058459ca64b9cc4c82d697,O=Capital One Financial,L=McLean,ST=VA,C=US
};
redef X509_OPTIMIZE::issuer_to_shunt += { "emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San Francisco,ST=CA,C=US" };
redef record X509::Info += {
## Connection UIDs associated with the X509 file transfer
id: conn_id &log &optional;
};
event file_state_remove(f: fa_file) &priority=10
{
if(!f$info?$x509) {
return;
}
if(f$info$x509?$certificate && f$info$x509$certificate?$serial) {
if(f$info$x509$certificate$serial in X509_OPTIMIZE::serials_to_shunt) {
delete f$info$x509;
return;
}
}
if(f$info$x509?$certificate && f$info$x509$certificate?$issuer) {
if(f$info$x509$certificate$issuer in X509_OPTIMIZE::issuer_to_shunt) {
delete f$info$x509;
return;
}
}
if(f$info$x509?$certificate && f$info$x509$certificate?$subject) {
if(f$info$x509$certificate$subject in X509_OPTIMIZE::subject_to_shunt) {
delete f$info$x509;
return;
}
}
f$info$x509$id = f$info$id;
}
Reference in New Issue View Git Blame Copy Permalink