[Bro] expire-certs.bro can I get the expiry date too?
seth at corelight.com
Mon Oct 30 17:15:50 PDT 2017
Oh, if you're just looking for when all certificates expire it sounds
like you want the "not_valid_before" and "not_valid_after" timestamps in
the x509 log. Is that what you wanted?
On 30 Oct 2017, at 19:32, Ludwig Goon wrote:
> Does that only apply to the variable number of days before expiry? So
> instance if it set to 30 days all of those will fire within the 30 day
> window. Whereas everything else outside of the window will not fire.
> So if
> we want every cert we detect to fire should we set it to 0 or to like
> 3650 days? I may have answered my own question but still wanna get
> On Mon, Oct 30, 2017 at 10:41 Seth Hall <seth at corelight.com> wrote:
>> On 29 Oct 2017, at 18:01, Ludwig Goon wrote:
>>> Is there a way to also print in the notice.log the actual date the
>>> cert expires?
>> If you're talking about the notice from the
>> policy/protocols/ssl/expiring-certs.bro then the date should already
>> in there. For the three notices that script defines, you should get
>> these messages...
>> - fmt("Certificate %s isn't valid until %T", cert$subject,
>> - fmt("Certificate %s expired at %T", cert$subject,
>> - fmt("Certificate %s is going to expire at %T", cert$subject,
>> Seth Hall * Corelight, Inc * www.corelight.com
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro