[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates
Gavin Spearhead (JIRA)
jira at bro-tracker.atlassian.net
Fri Nov 6 06:24:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22811#comment-22811 ]
Gavin Spearhead commented on BIT-1502:
--------------------------------------
Basically I installed the .deb package as on website, fiddled a bit with to configuration:
Using this for node.cfg
[bro]
type=standalone
host=localhost
interface=eth0
Tried disabling some bits and pieces in
/opt/bro/share/bro/site/local.bro
to no avail.
run
sudo broctl
> install
> start
Bro takes about 19% cpu.
zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes id.resp_h|grep face
0 2a03:2880:1010:df05:face:b00c:0:2
17578 2a03:2880:1010:df05:face:b00c:0:2
4488 2a03:2880:2040:7f01:face:b00c:0:1
2820 2a03:2880:11:1f04:face:b00c:0:1
4653 2a03:2880:1010:df05:face:b00c:0:2
4343 2a03:2880:1010:df05:face:b00c:0:2
77198 2a03:2880:f013:8:face:b00c:0:1
50374 2a03:2880:1010:df05:face:b00c:0:2
3198 2a03:2880:f022:b:face:b00c:0:3
0 2a03:2880:f022:b:face:b00c:0:3
124697 2a03:2880:f022:b:face:b00c:0:3
68810 2a03:2880:f022:b:face:b00c:0:3
21575 2a03:2880:1010:df05:face:b00c:0:2
0 2a03:2880:f013:8:face:b00c:0:1
146790 2a03:2880:f013:8:face:b00c:0:1
85210 2a03:2880:f013:8:face:b00c:0:1
77505 2a03:2880:1010:df05:face:b00c:0:2
0 2a03:2880:f012:8:face:b00c:0:1
433464 2a03:2880:f012:8:face:b00c:0:1
242946 2a03:2880:f012:8:face:b00c:0:1
55640 2a03:2880:1010:df05:face:b00c:0:2
237749 2a03:2880:f013:8:face:b00c:0:1
428592 2a03:2880:f013:8:face:b00c:0:1
93314 2a03:2880:1010:6f03:face:b00c:0:2
And for twitter
zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes id.resp_h|grep 199.16.156
14510 199.16.156.70
5477 199.16.156.8
2626 199.16.156.72
2625 199.16.156.8
0 199.16.156.8
0 199.16.156.199
0 199.16.156.72
1477 199.16.156.72
1752 199.16.156.198
2880 199.16.156.120
3025 199.16.156.9
1752 199.16.156.38
48034 199.16.156.38
7197 199.16.156.72
2625 199.16.156.8
0 199.16.156.72
0 199.16.156.104
> X509 doesn't log all certificates
> ---------------------------------
>
> Key: BIT-1502
> URL: https://bro-tracker.atlassian.net/browse/BIT-1502
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Environment: test setup
> Reporter: Gavin Spearhead
> Assignee: Johanna Amann
> Labels: ssl
> Fix For: 2.5
>
>
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
More information about the bro-dev
mailing list