Type: |
|
---|
Extract file content to local file system
Type: | event (f: fa_file, args: any, limit: count, offset: count, len: count) |
---|
This event is generated when a file extraction analyzer is about to exceed the maximum permitted file size allowed by the extract_limit field of Files::AnalyzerArgs. The analyzer is automatically removed from file f.
F: | The file. |
---|---|
Args: | Arguments that identify a particular file extraction analyzer. This is only provided to be able to pass along to FileExtract::set_limit. |
Limit: | The limit, in bytes, the extracted file is about to breach. |
Offset: | The offset at which a file chunk is about to be written. |
Len: | The length of the file chunk about to be written. |
See also: Files::add_analyzer, Files::ANALYZER_EXTRACT
Hash file content
Type: | event (f: fa_file, kind: string, hash: string) |
---|
This event is generated each time file analysis generates a digest of the file contents.
F: | The file. |
---|---|
Kind: | The type of digest algorithm. |
Hash: | The result of the hashing. |
See also: Files::add_analyzer, Files::ANALYZER_MD5, Files::ANALYZER_SHA1, Files::ANALYZER_SHA256
Analyze Unified2 alert files.
Type: | event (f: fa_file, ev: Unified2::IDSEvent) |
---|
Abstract all of the various Unified2 event formats into a single event.
F: | The file. |
---|---|
Ev: | TODO. |
Type: | event (f: fa_file, pkt: Unified2::Packet) |
---|
The Unified2 packet format event.
F: | The file. |
---|---|
Pkt: | TODO. |
X509 certificate parser
Type: |
|
---|---|
Attributes: |
Type: |
---|
Type: | |
---|---|
Attributes: |
Type: |
|
---|
Type: | event (f: fa_file, cert_ref: opaque, cert: X509::Certificate) |
---|
Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.
See Wikipedia for more information about the X.509 format.
F: | The file. |
---|---|
Cert_ref: | An opaque pointer to the underlying OpenSSL data structure of the certificate. |
Cert: | The parsed certificate information. |
See also: x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string
Type: | event (f: fa_file, ext: X509::Extension) |
---|
Generated for X509 extensions seen in a certificate.
See Wikipedia for more information about the X.509 format.
F: | The file. |
---|---|
Ext: | The parsed extension. |
See also: x509_certificate, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string
Type: | event (f: fa_file, ext: X509::BasicConstraints) |
---|
Generated for the X509 basic constraints extension seen in a certificate. This extension can be used to identify the subject of a certificate as a CA.
F: | The file. |
---|---|
Ext: | The parsed basic constraints extension. |
See also: x509_certificate, x509_extension, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string
Type: | event (f: fa_file, ext: X509::SubjectAlternativeName) |
---|
Generated for the X509 subject alternative name extension seen in a certificate. This extension can be used to allow additional entities to be bound to the subject of the certificate. Usually it is used to specify one or multiple DNS names for which a certificate is valid.
F: | The file. |
---|---|
Ext: | The parsed subject alternative name extension. |
See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_parse, x509_verify, x509_get_certificate_string
Type: | function (cert: opaque) : X509::Certificate |
---|
Parses a certificate into an X509::Certificate structure.
Cert: | The X509 certificate opaque handle. |
---|---|
Returns: | A X509::Certificate structure. |
See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_verify, x509_get_certificate_string
Type: | function (cert: opaque, pem: bool &default = F &optional) : string |
---|
Returns the string form of a certificate.
Cert: | The X509 certificate opaque handle. |
---|---|
Pem: | A boolean that specifies if the certificate is returned in pem-form (true), or as the raw ASN1 encoded binary (false). |
Returns: | X509 certificate as a string. |
See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_verify
Type: | function (certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default = network_time() &optional) : X509::Result |
---|
Verifies an OCSP reply.
Certs: | Specifies the certificate chain to use. Server certificate first. |
---|---|
Ocsp_reply: | the ocsp reply to validate. |
Root_certs: | A list of root certificates to validate the certificate chain. |
Verify_time: | Time for the validity check of the certificates. |
Returns: | A record of type X509::Result containing the result code of the verify operation. |
See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_get_certificate_string, x509_verify
Type: | function (certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default = network_time() &optional) : X509::Result |
---|
Verifies a certificate.
Certs: | Specifies a certificate chain that is being used to validate the given certificate against the root store given in root_certs. The host certificate has to be at index 0. |
---|---|
Root_certs: | A list of root certificates to validate the certificate chain. |
Verify_time: | Time for the validity check of the certificates. |
Returns: | A record of type X509::Result containing the result code of the verify operation. In case of success also returns the full certificate chain. |
See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_get_certificate_string, x509_ocsp_verify