[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates

Gavin Spearhead (JIRA) jira at bro-tracker.atlassian.net
Tue Nov 24 15:21:00 PST 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23007#comment-23007 ] 

Gavin Spearhead commented on BIT-1502:

The machine is just my workstation. Bro is running on a live capture. It's not particularly busy, nor is there really a lot of traffic actually it's just browsing. There is no ratelimiting. I've been running tcpdump and wireshark as well and it doesn't look like there is anything missing. I ran a tcpdump for a bit and pulled it through bro, then everything just works fine.

.cmdline says
-i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

I don't see anything particularly interesting in the logs. apart from send-mail: SENDMAIL-NOTFOUND not found

> X509 doesn't log all certificates
> ---------------------------------
>                 Key: BIT-1502
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1502
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>         Environment: test setup
>            Reporter: Gavin Spearhead
>            Assignee: Johanna Amann
>              Labels: ssl
>             Fix For: 2.5
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.  
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list