[Bro] Comparing file details and connection details at the same time
klehigh at iu.edu
Thu Jan 12 16:13:23 PST 2017
Specifically for x509 certificates, you might want to look at the x509_certificate event, which includes the connection details & the parsed certificate fields in one handy event.
The “misc/dump-events” script is invaluable for examining packet captures to figure out what events fire and what data is available for a given event.
bro -r some.pcap misc/dump-events
> On Jan 12, 2017, at 18:34, John B. Althouse III <sudo.darkstar at gmail.com> wrote:
> Brograming question;
> I want to my script to look at the conn details of a ssl session, orig_h, resp_h, ect. and also look at specific file details for that session, x509::certificate.sig_alg
> How do I correlate the two in a Bro script since Bro handles connections and files separately?
> My thought process was to use 'event ssl_established' since it would have most of what I want but it doesn't have x509 file details like the certificate.sig_alg and I wasn't able to find the event that would contain both.
> Anyone know how I can do this?
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3569 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/1510d4ea/attachment.bin
More information about the Bro