[Bro] Howto
Seth Hall
seth at icir.org
Thu Jul 21 10:25:53 PDT 2011
On Jul 21, 2011, at 12:48 PM, Martin Holste wrote:
> So when would one want to use this version? If you need access to the
> entire cert chain for your calculations?
That's up to you. :) I have a whole list of things you may want to do (and some of which will be done out of the box).
1. You may want to see the signing chain for a certificate, including the root signer. This event will give you the subject, the actual certificate itself, etc. Here's the cert structure...
type X509: record { version: count; serial: string; subject: string; issuer: string; not_valid_before: time; not_valid_after: time; };
2. You need the full certificate chain to do certificate validation (that's already built into the script).
3. You may want extract the certificates in the chain. The entire certificate chain is given to you as DER and you can print it to a file with the &raw_output attribute.
> Ha, how much time do you have!
That's the only way we can make sure that we are solving real world problems. :)
> Please, please do it this way:
> Create a generic external IO system that uses an HTTP protocol. REST
> is preferred, but the simpler the better.
Thanks for the comments. I think it's certainly possible that someone could already implement something like this with broccoli and that's probably how it should be done anyway. It would be like an API daemon. :)
Feel free to file a feature request ticket, I think creating an API daemon would be possible and could work quite well.
http://tracker.bro-ids.org/
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list