[Bro] how can I get the hostname in a SSL connection?

Jessica Smith jes.smith.bro at aol.com
Tue Jan 28 08:53:14 PST 2014

yes, i'm working on trace files, so, there's noy way to wait the DNS reply? in that case I cannot check the validity of CN/SAN field, right?

-----Original Message-----
From: Seth Hall <seth at icir.org>
To: Jessica Smith <jes.smith.bro at aol.com>
Cc: bro <bro at bro.org>
Sent: Tue, Jan 28, 2014 3:10 pm
Subject: Re: [Bro] how can I get the hostname in a SSL connection?
Are you running this on live traffic or on a trace file?  If you are running on 
a tracefile, it could be that Bro is terminating before the DNS reply has a 
chance to get back into Bro and run that code.  When statements work like 
closures so they aren't executed immediately.  You can think of it like the body 
of the when statement is stored in the background until the condition for the 
when statement becomes true or completes, it's only then that the body is 

Also, you may want to print something just before the when statement just to 
make sure your code is actually making it to the when statement.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140128/b8de3b8f/attachment.html 

More information about the Bro mailing list