[Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging

Bro Tracker bro at tracker.bro-ids.org
Mon Dec 24 23:14:51 PST 2012

#928: Incorporate ICSI certificate notary into SSL logging
 Reporter:  matthias           |      Owner:
     Type:  Test Case Missing  |     Status:  new
 Priority:  Normal             |  Milestone:  Bro2.2
Component:  Bro                |    Version:  git/master
 Keywords:                     |
 This commit (i) adds support for delayed logging for SSL records, and (ii)
 provides a new script notary.bro that interacts with the ICSI certificate

 The delayed logging implementation takes the idea of delaying notices one
 step further: it logs records in the order as they would normally occur by
 buffering them until a specified maximum timeout (by default 15 seconds).
 A user can delay a record by adding an opaque identifier, and is
 responsible to remove the same identifier later to "undelay" the record,
 allowing it to be flushed.

 The notary script comes as a client application to this new interface. For
 each leaf certificate in a chain sent by a server, the script computes the
 SHA1 hash and queries the notary. As soon as the reply arrives, the script
 enhances the SSL log record with the details from the notary response and
 undelays the record. The notary script also caches DNS replies for an hour
 after creation.

 Due to the changing state of the notary, it is difficult to write a test
 case for this script. Thus I'll just file it as a merge request, and would
 appreciate if folks (in particular Seth :-) could have a look at it.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/928>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list