[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates
Johanna Amann (JIRA)
jira at bro-tracker.atlassian.net
Tue Nov 24 14:31:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23006#comment-23006 ]
Johanna Amann commented on BIT-1502:
Ok, it is really difficult to see what exactly is going on here - but basically, Bro is not seeing all bytes in the connections (and hence can not decode the TLS sessions). Which is probably actually a different underlying problem that has not much to do with Bro (which only uses libpcap to get traffic from eth0 in your case).
How exactly are you replaying the traffic? Is it replayed from a different machine? Are you employing some kind of rate limiting, or is it simply sent at the full speed the interface is capable of? Could you potentially try just replaying your traffic while running tcpdump on the receiving side, to see if tcpdump misses packets too?
> X509 doesn't log all certificates
> Key: BIT-1502
> URL: https://bro-tracker.atlassian.net/browse/BIT-1502
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Environment: test setup
> Reporter: Gavin Spearhead
> Assignee: Johanna Amann
> Labels: ssl
> Fix For: 2.5
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?
This message was sent by Atlassian JIRA
More information about the bro-dev