[Bro] Fwd: Logging an SSL Certificate

Harry Hoffman hhoffman at ip-solutions.net
Thu Jul 28 07:06:42 PDT 2011

Snort can absolutly log SSL certs, you just need a rule for it (and I'm
guessing emerging-threats prolly has one).

Here's the rule I'm using (for our environment):
# ssl connections on high ports
alert tcp $HOME_NET ![25,443,465,587,636,993,995] -> !$HOME_NET any
(msg:"ssl_v3_out"; \
  content:"|16 03|"; depth:2; \
  content:"|02|"; distance:3; depth:1; \
  content:"|03|"; distance:3; depth:1; \
  content:"|16 03|"; content:"|0e|"; distance:3; depth:1; \
  sid:1000019; \
  threshold: type limit, track by_src, count 2, seconds 600;)

It logs more then just the cert but it's a good way to see things like
TOR traffic from bridges and the like as well as the high port SSL servu
ftp servers running on comp'd machiens.


On 07/28/2011 09:57 AM, Martin Holste wrote:
> Yep, this happens out of the box in Bro.  By default, it will log all
> certificates seen, and it also logs any invalid certificates (for many
> reasons) to the notice.log file (the alert file).
> Also, you shouldn't be having any TCP reassembly issues in Snort if
> it's a recent version.  Snort will absolutely not do any of this SSL
> stuff, so you can forget about trying to use Snort and focus on using
> Bro for this.  Seth got me going with it and it works as advertised.
> On Thu, Jul 28, 2011 at 8:30 AM, Alvin Huang <alvinh999 at gmail.com> wrote:
>> Hey guys,
>> I was just wondering if there was a way to log the SSL certificates from an
>> SSL handshake. I want to log these so that I can check the signer
>> specifically and check their authenticity. I have been working in Snort IDS
>> but I haven't been able to get this to work so I am going to try Bro if it
>> is possible here instead. The main problems I run into on Snort is the TCP
>> packets not reassembling and figuring out what content match to look for in
>> the rules (although I can look through Wireshark and pull something out to
>> try easily). Is this possible in Bro? Someone told me it would be available
>> out of box on Bro so I am seriously considering this.
>> Thanks in advance,
>> Alvin
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list