[Bro] bug in ssl_alert event?

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Feb 5 10:11:51 PST 2014

On Feb 4, 2014, at 5:59 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:

> why when I print the "level" of the alert message I get numbers different from 1 (warning) or 2 (fatal) ?

The explanations I can think of are 1) bug in the ssl parser 2) ssl parser got attached to a connection that’s not actually ssl 3) the ssl alert records actually contain those odd level values.

If you can provide a small example pcap, that could be helpful.  Else you might get more clues by checking whether the values in c$ssl end up looking sane for the connections in question.

- Jon

More information about the Bro mailing list