[Bro] why x509_extensions event never called?

Mon Jan 27 08:50:03 PST 2014

Hi Seth,
thanks for reply, but there is no more information to give you. I just visited the site www.paypal.com and all SSL events (ssl_client_hello, ssl_server_hello, ssl_established, x509_certificate) are fired except x509_extension. I cannot understand why, but the Paypal's certificate contains many extensions.

module MYMODULE;

export {
}

event bro_init() {
# fires
}

event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
{
# fires
}

event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
{
# fires
}

event ssl_established(c: connection) 
{
# fires
}

event x509_extension(c: connection, is_orig: bool, is_critical: bool, name: string, value: string) 
{
print "THERE'S AN EXTENSION!";  # no fire
}

event x509_certificate(c: connection , is_orig: bool , cert: X509 , chain_idx: count , chain_len: count , der_cert: string )
{

# fires
}

Jessica

-----Original Message-----
From: Seth Hall <seth at icir.org>
To: Jessica Smith <jes.smith.bro at aol.com>
Cc: bro <bro at bro.org>
Sent: Mon, Jan 27, 2014 4:02 pm
Subject: Re: [Bro] why x509_extensions event never called?

On Jan 26, 2014, at 1:27 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:

> event x509_extension(c: connection, is_orig: bool, data: string) 
> {
> 	print "THERE'S AN EXTENSION!";
> }

That looks correct.  You're going to have to give us more information and 
ideally a trace file.  Also, consider that if you aren't seeing certificates 
that have extensions you won't see this event fire.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/a1b43991/attachment.html 