[Bro] why x509_extensions event never called?
Jessica Smith
jes.smith.bro at aol.com
Mon Jan 27 08:50:03 PST 2014
Hi Seth,
thanks for reply, but there is no more information to give you. I just visited the site www.paypal.com and all SSL events (ssl_client_hello, ssl_server_hello, ssl_established, x509_certificate) are fired except x509_extension. I cannot understand why, but the Paypal's certificate contains many extensions.
module MYMODULE;
export {
}
event bro_init() {
# fires
}
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
{
# fires
}
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{
# fires
}
event ssl_established(c: connection)
{
# fires
}
event x509_extension(c: connection, is_orig: bool, is_critical: bool, name: string, value: string)
{
print "THERE'S AN EXTENSION!"; # no fire
}
event x509_certificate(c: connection , is_orig: bool , cert: X509 , chain_idx: count , chain_len: count , der_cert: string )
{
# fires
}
Jessica
-----Original Message-----
From: Seth Hall <seth at icir.org>
To: Jessica Smith <jes.smith.bro at aol.com>
Cc: bro <bro at bro.org>
Sent: Mon, Jan 27, 2014 4:02 pm
Subject: Re: [Bro] why x509_extensions event never called?
On Jan 26, 2014, at 1:27 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:
> event x509_extension(c: connection, is_orig: bool, data: string)
> {
> print "THERE'S AN EXTENSION!";
> }
That looks correct. You're going to have to give us more information and
ideally a trace file. Also, consider that if you aren't seeing certificates
that have extensions you won't see this event fire.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/a1b43991/attachment.html
More information about the Bro
mailing list