[Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject
Anthony Verez (JIRA)
jira at bro-tracker.atlassian.net
Fri May 23 17:12:07 PDT 2014
Anthony Verez created BIT-1195:
----------------------------------
Summary: SSL: subject overflow in issuer_subject
Key: BIT-1195
URL: https://bro-tracker.atlassian.net/browse/BIT-1195
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.2, git/master
Environment: Tested on Debian and Security Onion
Reporter: Anthony Verez
Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz
Hi,
I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master)
Steps to reproduce:
1. Start capturing
2. openssl s_client -connect 63.245.215.80:443
3. Stop capturing
4. Load the pcap in Bro
Problem:
* cat -t master_logs/ssl.log -> "Orga^Inization"
* cat -t master_logs/x509.log -> "Orga^Inization"
* cat -t 2.2_logs/x509.log -> "Orga^Inization"
Whereas the openssl command above gives
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
I have attached:
* the pcap
* logs in both 2.2 and master (bro -r capture.pcap)
Great job on beta 2.3 :-)
--
This message was sent by Atlassian JIRA
(v6.3-OD-04-019#6322)
More information about the bro-dev
mailing list