[Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject

Anthony Verez (JIRA) jira at bro-tracker.atlassian.net
Fri May 23 17:12:07 PDT 2014

Anthony Verez created BIT-1195:

             Summary: SSL: subject overflow in issuer_subject
                 Key: BIT-1195
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1195
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.2, git/master
         Environment: Tested on Debian and Security Onion
            Reporter: Anthony Verez
         Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz


I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master)

Steps to reproduce:
1. Start capturing
2. openssl s_client -connect
3. Stop capturing
4. Load the pcap in Bro

* cat -t master_logs/ssl.log -> "Orga^Inization"
* cat -t master_logs/x509.log -> "Orga^Inization"
* cat -t 2.2_logs/x509.log -> "Orga^Inization"

Whereas the openssl command above gives
subject=/businessCategory=Private Organization/ Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1

I have attached:
* the pcap
* logs in both 2.2 and master (bro -r capture.pcap)

Great job on beta 2.3 :-)

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list