[Bro-Dev] Remove application/pkix-cert from files.log?

Seth Hall seth at icir.org
Fri Jul 15 08:08:29 PDT 2016

What does everyone think of making some change for 2.5 so that certificates from SSL aren't logged in the files.log by default?  I've heard grumblings about the number of certs that show up from quite a few people and personally noticed that the number of certificates will dwarf all other files types pretty badly which makes the output look a bit weird since very few people are ever interested in looking at those files in the files.log.

Certificates would still be passed through the files framework, so it's not an architectural change, it would all be related to just not doing the log.  There is one minor issue that this brings up though in that right now certificate hashes are all given in the files.log.  We could move them elsewhere like x509.log or ssl.log, but I'm curious if anyone had thoughts on what they think would be most useful?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list