[Bro-Dev] Remove application/pkix-cert from files.log?

Johanna Amann johanna at icir.org
Fri Jul 15 08:54:05 PDT 2016

I think kind of like having the certificates being handled as files by 
default. However, I see that most people who run clusters in production 
do not want that information in files.log. So - from my point of view, 
it might make sense to have a policy script that filters certificates 
from files.log and adds the hashes to x509.log; and we have that 
auto-loaded by default in local.bro.

Would that make sense?


On 15 Jul 2016, at 8:08, Seth Hall wrote:

> What does everyone think of making some change for 2.5 so that 
> certificates from SSL aren't logged in the files.log by default?  I've 
> heard grumblings about the number of certs that show up from quite a 
> few people and personally noticed that the number of certificates will 
> dwarf all other files types pretty badly which makes the output look a 
> bit weird since very few people are ever interested in looking at 
> those files in the files.log.
> Certificates would still be passed through the files framework, so 
> it's not an architectural change, it would all be related to just not 
> doing the log.  There is one minor issue that this brings up though in 
> that right now certificate hashes are all given in the files.log.  We 
> could move them elsewhere like x509.log or ssl.log, but I'm curious if 
> anyone had thoughts on what they think would be most useful?
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

More information about the bro-dev mailing list