[Bro] Fwd: Logging an SSL Certificate

Martin Holste mcholste at gmail.com
Thu Jul 28 07:21:59 PDT 2011

> Snort can absolutly log SSL certs, you just need a rule for it (and I'm
> guessing emerging-threats prolly has one).
Right, it can log the packet in which the cert exists and do some
rudimentary checks for known strings contained within, but Bro will
actually decode the cert, walk the certificate chain, match against a
database of known-valid public keys from Mozilla, etc.  The end result
is a true test of whether or not the certificate is valid.  The ET
sigs (which I contributed to) for this are pretty basic content
matches and only work for very specific certs.

Alvin, Bro won't work on Windows, but it will read packet traces
created from the Windows box, so you could capture with wireshark and
then ship to a Linux or FreeBSD box running Bro.  Not ideal, to be
sure.  Usually you run an IDS on the network ahead of the devices
you're trying to monitor, not directly on them (though this is not
always possible).

More information about the Bro mailing list