[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Nov 5 15:30:00 PST 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22809#comment-22809 ] 

Johanna Amann commented on BIT-1502:

Since it works when running it directly through Bro, this means that this is not a problem of the Bro parsing of X.509 but a different problem of the process you use to replay your pcap file or capture your life traffic :).

What are the exact steps with which you tried using it through broctl? Are you using standalone mode or cluster mode? Could you see is the missed_bytes column of conn.log contains a number > 0 in the case where x.509 log does not contain data? This would mean that Bro did not see all bytes of the underlying TLS connection, which makes it stop processing.

> X509 doesn't log all certificates
> ---------------------------------
>                 Key: BIT-1502
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1502
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>         Environment: test setup
>            Reporter: Gavin Spearhead
>            Assignee: Johanna Amann
>              Labels: ssl
>             Fix For: 2.5
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.  
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list