From 0e9ddf9ad22e76ea5d55733ec0a0f1259844cfa2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 13 Aug 2015 11:11:48 -0700
Subject: [PATCH] add script for dh group length logging

---
 README.md      |  5 +++++
 dhe-length.bro | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 dhe-length.bro

diff --git a/README.md b/README.md
index e617885..eecc561 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,11 @@ impacted by the [Chrome SHA-1 sunset changes](http://googleonlinesecurity.blogsp
 
 Short, simple script that adds the name of the node that processed a connection to conn.log.
 
+[dhe-length.bro](dhe-length.bro)
+--------------------------------
+
+Another very short script that logs the DH discrete log group size to ssl.log.
+
 [validate-certs-cache-intermediates.bro](validate-certs-cache-intermediates.bro)
 --------------------------------------------------------------------------------
 This script performs certificate validation of all encountered X509 certificates.
diff --git a/dhe-length.bro b/dhe-length.bro
new file mode 100644
index 0000000..f67d995
--- /dev/null
+++ b/dhe-length.bro
@@ -0,0 +1,22 @@
+# This script adds the length of the discrete log group size of
+# the server DH parameters to ssl.log
+#
+# Questions -> johanna@icir.org
+
+@load base/protocols/ssl
+
+module SSL;
+
+export {
+	redef record Info += {
+		## DH log group size
+		dh_param_size: count &log &optional;
+	};
+}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority = 5
+	{
+	set_session(c);
+
+	c$ssl$dh_param_size = |p| * 8; # length of the used prime number in bits
+	}