base/files/x509/certificate-event-cache.zeek

X509

This script sets up the certificate event cache handling of Zeek.

The Zeek core provided a method to skip certificate processing for known certificates. For more details about this functionality, see x509_set_certificate_cache.

This script uses this feature to lower the amount of processing that has to be performed by Zeek by caching all certificate events for common certificates. For these certificates, the parsing of certificate information in the core is disabled. Instead, the cached events and data structures from the previous certificates are used.

Namespace:

X509

Imports:

base/files/x509/main.zeek

Summary

Runtime Options

X509::caching_required_encounters: count &redef

How often do you have to encounter a certificate before caching the events for it.

X509::caching_required_encounters_interval: interval &redef

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries: count &redef

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval: interval &redef

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.

Hooks

X509::x509_certificate_cache_replay: hook

This hook performs event-replays in case a certificate that already is in the cache is encountered.

Detailed Interface

Runtime Options

X509::caching_required_encounters
Type:

count

Attributes:

&redef

Default:

10

How often do you have to encounter a certificate before caching the events for it. Set to 0 to disable caching of certificates.

X509::caching_required_encounters_interval
Type:

interval

Attributes:

&redef

Default:

1.0 min 2.0 secs

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries
Type:

count

Attributes:

&redef

Default:

10000

Redefinition:

from policy/files/x509/disable-certificate-events-known-certs.zeek

=:

100000

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval
Type:

interval

Attributes:

&redef

Default:

1.0 min 2.0 secs

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.

Hooks

X509::x509_certificate_cache_replay
Type:

hook (f: fa_file, e: X509::Info, sha256: string) : bool

This hook performs event-replays in case a certificate that already is in the cache is encountered.

It is possible to change this behavior/skip sending the events by installing a higher priority hook instead.