[Bro] Bro for Beginners/Logging SSL Certificate

Alvin Huang alvinh999 at gmail.com
Tue Aug 9 10:43:15 PDT 2011


Hey everyone,

This is my first time using Linux as well as using Bro so it has taken a
while for me to get it installed and up and running, but finally I think I
have it. I am running Bro 1.5.3 on Ubuntu and I have gotten BroCtl to start
but I have a couple questions:

1. Where are the rules written that Bro is supposed to alert on? I came from
Snort so I know a bit about IDS but I don't know how Bro is set up.
2. Where are the logs produced? /spool/broctl.dt?

What I really want to do is to log the packet(s) from an SSL handshake that
contain a certificate. I was sort of able to do this in Snort. Snort gave me
the right packets but the wrong data. I got the TCP Segment Data rather than
the reassembled TCP packet of the whole certificate itself. I was told Bro
could do this out of the box so hopefully this will work here.

Is this possible? How should I go about doing this. I am a true beginner
with Linux and I am having some trouble understanding what is going on.

Thanks in advance
Alvin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110809/a6389401/attachment.html 


More information about the Bro mailing list