[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates
Johanna Amann (JIRA)
jira at bro-tracker.atlassian.net
Thu Nov 5 15:30:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22809#comment-22809 ]
Johanna Amann commented on BIT-1502:
------------------------------------
Since it works when running it directly through Bro, this means that this is not a problem of the Bro parsing of X.509 but a different problem of the process you use to replay your pcap file or capture your life traffic :).
What are the exact steps with which you tried using it through broctl? Are you using standalone mode or cluster mode? Could you see is the missed_bytes column of conn.log contains a number > 0 in the case where x.509 log does not contain data? This would mean that Bro did not see all bytes of the underlying TLS connection, which makes it stop processing.
> X509 doesn't log all certificates
> ---------------------------------
>
> Key: BIT-1502
> URL: https://bro-tracker.atlassian.net/browse/BIT-1502
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Environment: test setup
> Reporter: Gavin Spearhead
> Assignee: Johanna Amann
> Labels: ssl
> Fix For: 2.5
>
>
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
More information about the bro-dev
mailing list