[Bro] Fwd: Certificate extraction issue

Timur Makarchuk makarchuk at group-ib.com
Fri Feb 2 05:12:16 PST 2018

---------- Forwarded message ---------
From: Timur Makarchuk <makarchuk at group-ib.com>
Date: пт, 2 февр. 2018 г. в 16:09
Subject: Certificate extraction issue
To: <bro at bro.org>

Hello, everybody

I have a trouble I can't wrap my head around.
I'm trying to extract SSL certificates from traffic and I have and event
handler like this:

event x509_certificate (f: fa_file, cert_ref: opaque of x509, cert:
X509::Certificate) {
    local fileName = fmt("%s", current_time());
    print fileName;
    local fname = fmt("%s%s.%s", path, fileName, "pem");
    local args: Files::AnalyzerArgs = record($extract_filename=fname);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, args);

For some reason I don't understand Bro can't add Analyzer to my files and
I'm not getting any files extracted
1517409279.894576 warning in
/opt/bro/share/bro/base/frameworks/files/./main.bro, line 394: Analyzer
Files::ANALYZER_EXTRACT not added successfully to file Fp4AgEzEtME36Nfl2.

Any help will be much appreciated

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180202/e93ba5ab/attachment.html 

More information about the Bro mailing list