[Bro] bug in ssl_alert event?
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Feb 5 10:11:51 PST 2014
On Feb 4, 2014, at 5:59 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:
> why when I print the "level" of the alert message I get numbers different from 1 (warning) or 2 (fatal) ?
The explanations I can think of are 1) bug in the ssl parser 2) ssl parser got attached to a connection that’s not actually ssl 3) the ssl alert records actually contain those odd level values.
If you can provide a small example pcap, that could be helpful. Else you might get more clues by checking whether the values in c$ssl end up looking sane for the connections in question.
More information about the Bro