[Bro] Fwd: Logging an SSL Certificate

Martin Holste mcholste at gmail.com
Thu Jul 28 06:57:19 PDT 2011

Yep, this happens out of the box in Bro.  By default, it will log all
certificates seen, and it also logs any invalid certificates (for many
reasons) to the notice.log file (the alert file).

Also, you shouldn't be having any TCP reassembly issues in Snort if
it's a recent version.  Snort will absolutely not do any of this SSL
stuff, so you can forget about trying to use Snort and focus on using
Bro for this.  Seth got me going with it and it works as advertised.

On Thu, Jul 28, 2011 at 8:30 AM, Alvin Huang <alvinh999 at gmail.com> wrote:
> Hey guys,
> I was just wondering if there was a way to log the SSL certificates from an
> SSL handshake. I want to log these so that I can check the signer
> specifically and check their authenticity. I have been working in Snort IDS
> but I haven't been able to get this to work so I am going to try Bro if it
> is possible here instead. The main problems I run into on Snort is the TCP
> packets not reassembling and figuring out what content match to look for in
> the rules (although I can look through Wireshark and pull something out to
> try easily). Is this possible in Bro? Someone told me it would be available
> out of box on Bro so I am seriously considering this.
> Thanks in advance,
> Alvin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list