base/files/x509/certificate-event-cache.zeek

X509

This script sets up the certificate event cache handling of Zeek.

The Zeek core provided a method to skip certificate processing for known certificates. For more details about this functionality, see x509_set_certificate_cache.

This script uses this feature to lower the amount of processing that has to be performed by Zeek by caching all certificate events for common certificates. For these certificates, the parsing of certificate information in the core is disabled. Instead, the cached events and data structures from the previous certificates are used.

Namespace

X509

Imports

base/files/x509/main.zeek

Summary

Runtime Options

X509::caching_required_encounters: count &redef

How often do you have to encounter a certificate before caching the events for it.

X509::caching_required_encounters_interval: interval &redef

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries: count &redef

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval: interval &redef

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.

Hooks

X509::x509_certificate_cache_replay: hook

This hook performs event-replays in case a certificate that already is in the cache is encountered.

Detailed Interface

Runtime Options

X509::caching_required_encounters
Type

count

Attributes

&redef

Default

10

How often do you have to encounter a certificate before caching the events for it. Set to 0 to disable caching of certificates.

X509::caching_required_encounters_interval
Type

interval

Attributes

&redef

Default

1.0 min 2.0 secs

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries
Type

count

Attributes

&redef

Default

10000

Redefinition

from policy/files/x509/disable-certificate-events-known-certs.zeek

=:

100000

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval
Type

interval

Attributes

&redef

Default

1.0 min 2.0 secs

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.

Hooks

X509::x509_certificate_cache_replay
Type

hook (f: fa_file, e: X509::Info, sha256: string) : bool

This hook performs event-replays in case a certificate that already is in the cache is encountered.

It is possible to change this behavior/skip sending the events by installing a higher priority hook instead.