[Bro] how can I get the hostname in a SSL connection?
Seth Hall
seth at icir.org
Tue Jan 28 06:10:00 PST 2014
On Jan 27, 2014, at 6:44 PM, Jessica Smith <jes.smith.bro at aol.com> wrote:
> I'm analyzing X.509 certificates and I have to check that the CN/SAN matches the hostname to which I am connecting. I was using the hostname value derived from the ssl extension "server_name", but in some cases this extension is not set.
Yep, there is no requirement that certificates have the server name indicator extension. You will also see this in cases where an SSL session is resumed and there is no certificate exchange.
> event ssl_established(c: connection)
> {
> local hostname: string;
>
> if( c$ssl?$server_name )
> hostname = c$ssl$server_name;
>
> when(local host = lookup_addr(c$id$resp_h)) { print host; }
> }
>
> It does not print the hostname. why?
Are you running this on live traffic or on a trace file? If you are running on a tracefile, it could be that Bro is terminating before the DNS reply has a chance to get back into Bro and run that code. When statements work like closures so they aren't executed immediately. You can think of it like the body of the when statement is stored in the background until the condition for the when statement becomes true or completes, it's only then that the body is executed.
Also, you may want to print something just before the when statement just to make sure your code is actually making it to the when statement.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140128/293bb81c/attachment.bin
More information about the Bro
mailing list