validate-sct.zeek

Perform validation of Signed Certificate Timestamps, as used for Certificate Transparency. See RFC6962 for more details.

Summary

`SSL::SctInfo`: `record`	This record is used to store information about the SCTs that are encountered in a SSL connection.
`SSL::SctSource`: `enum`	List of the different sources for Signed Certificate Timestamp

New Fields:

SSL::Info

valid_scts: count &optional: Number of valid SCTs that were encountered in the connection.
invalid_scts: count &optional: Number of SCTs that could not be validated that were encountered in the connection.
valid_ct_logs: count &log &optional: Number of different Logs for which valid SCTs were encountered in the connection.
valid_ct_operators: count &log &optional: Number of different Log operators of which valid SCTs were encountered in the connection.
valid_ct_operators_list: set [string] &optional: List of operators for which valid SCTs were encountered in the connection.
ct_proofs: vector of SSL::SctInfo &default = [] &optional: Information about all SCTs that were encountered in the connection.

Type:

record

Fields:

version: count: The version of the encountered SCT (should always be 0 for v1).

timestamp: count: The timestamp at which this SCT was issued measured since the epoch (January 1, 1970, 00:00), ignoring leap seconds, in milliseconds. Not converted to a Zeek timestamp because we need the exact value for validation.

This record is used to store information about the SCTs that are encountered in a SSL connection.

Type:

enum

SSL::SCT_X509_EXT: Signed Certificate Timestamp was encountered in the extension of an X.509 certificate.

SSL::SCT_TLS_EXT: Signed Certificate Timestamp was encountered in an TLS session extension.

SSL::SCT_OCSP_EXT: Signed Certificate Timestamp was encountered in the extension of an stapled OCSP reply.

List of the different sources for Signed Certificate Timestamp