[Bro] Problems parsing x509 issuer?

Shane Castle shane.castle at gmail.com
Thu Jun 5 09:45:20 PDT 2014


I saw that too, that even if I was careful to get copies in the host's cert storage and run a script like is outlined in (https://www.bro.org/current/solutions/extending/). It seems there is indeed an issue with the cert parsing code.

Sent from my iPad

> On Jun 5, 2014, at 18:22, Michael Wenthold <michael.wenthold at gmail.com> wrote:
> 
> All,
> 
> We are experimenting with tracking/whitelisting x509 certificate issuers, using Bro 2.2.  I'm seeing that certain certificates consistently don't appear to be getting parsed properly.
> 
> For example:
> 
> 1.311.60.2.1.3=#13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
> 
> 025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
> 
> .1.3=#13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
> 
> 
> This is just a small sample, but it appears to happen mostly with certain certificates (like the Verisign extended validation certs).   Is anyone else seeing this?
> 
> 
> Mike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140605/ce84813f/attachment.html 


More information about the Bro mailing list