[Bro] Question about data format of ssl.log files

Seth Hall seth at icir.org
Wed Feb 20 18:55:28 PST 2013

On Feb 20, 2013, at 5:01 PM, Tim Ray <tray at 21ct.com> wrote:

> So, the APT1 report has the certs in text format. Does Bro use that? Or is
> it all in DER?

Mandiant didn't actually distribute the certificates with their report they only included some information about the certs and the certs SHA1 hashes.  Unfortunately for a historical reason our SSL scripts by default only log the MD5 hash of the cert.  We can either get Mandiant to release MD5's for the certs or your can start logging SHA1's going forward.

Here's a script to add SHA-1 hashes for certs to your log (this is a very slight modification to the script we ship with 2.1)…

@load base/protocols/ssl
module SSL;
export {
	redef record Info += {
		## SHA1 hash of the DER encoded server certificate.
		sha1: string &log &optional;
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
	# We aren't tracking client certificates yet and we are also only tracking
	# the primary cert.  Watch that this came from an SSL analyzed session too.
	if ( is_orig || chain_idx != 0 || ! c?$ssl ) 

	c$ssl$sha1 = sha1_hash(der_cert);

Have fun.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list