[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates
Gavin Spearhead (JIRA)
jira at bro-tracker.atlassian.net
Tue Nov 24 15:21:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23007#comment-23007 ]
Gavin Spearhead commented on BIT-1502:
--------------------------------------
The machine is just my workstation. Bro is running on a live capture. It's not particularly busy, nor is there really a lot of traffic actually it's just browsing. There is no ratelimiting. I've been running tcpdump and wireshark as well and it doesn't look like there is anything missing. I ran a tcpdump for a bit and pulled it through bro, then everything just works fine.
.cmdline says
-i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
I don't see anything particularly interesting in the logs. apart from send-mail: SENDMAIL-NOTFOUND not found
> X509 doesn't log all certificates
> ---------------------------------
>
> Key: BIT-1502
> URL: https://bro-tracker.atlassian.net/browse/BIT-1502
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Environment: test setup
> Reporter: Gavin Spearhead
> Assignee: Johanna Amann
> Labels: ssl
> Fix For: 2.5
>
>
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.
> E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?
--
This message was sent by Atlassian JIRA
(v7.1.0-OD-01-053#71000)
More information about the bro-dev
mailing list