[Bro] how can I get the hostname in a SSL connection?

Jessica Smith jes.smith.bro at aol.com
Mon Jan 27 15:44:54 PST 2014


I'm analyzing X.509 certificates and I have to check that the CN/SAN matches the hostname to which I am connecting. I was using the hostname value derived from the ssl extension "server_name", but in some cases this extension is not set. 
I then tried to use the lookup_addr() function but it returns nothing.

event ssl_established(c: connection) 
local hostname: string;

if( c$ssl?$server_name )
hostname = c$ssl$server_name;
when(local host = lookup_addr(c$id$resp_h)) { print host; } 

It does not print the hostname. why?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/406a0b76/attachment.html 

More information about the Bro mailing list