[Bro] Problems parsing x509 issuer?
Michael Wenthold
michael.wenthold at gmail.com
Thu Jun 5 13:26:13 PDT 2014
I'm only using a small sample pcap, but 2.3-beta5 appears to fix the
parsing issue.
thanks!
On Thu, Jun 5, 2014 at 5:00 PM, <bernhard at icsi.berkeley.edu> wrote:
> Hello Michael,
>
> like Anthony said, this bug was probably fixed in the current master
> version. Could you try with that and see if that fixes your problem? I
> think this is the only change since 2.3-beta that made it into master, so
> using it will not break anything else.
>
> Bernhard
>
>
> On 5 Jun 2014, at 9:22, Michael Wenthold wrote:
>
> All,
>>
>> We are experimenting with tracking/whitelisting x509 certificate issuers,
>> using Bro 2.2. I'm seeing that certain certificates consistently don't
>> appear to be getting parsed properly.
>>
>> For example:
>>
>> 1.311.60.2.1.3=#13025553CN=VeriSign Class 3 Extended Validation SSL SGC
>> CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign
>> Trust
>> Network,O=VeriSign\, Inc.,C=US
>>
>> 025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use
>> at
>> https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\,
>> Inc.,C=US
>>
>> .1.3=#13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms
>> of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust
>> Network,O=VeriSign\, Inc.,C=US
>>
>>
>> This is just a small sample, but it appears to happen mostly with certain
>> certificates (like the Verisign extended validation certs). Is anyone
>> else seeing this?
>>
>>
>> Mike
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140605/eed5b7fe/attachment.html
More information about the Bro
mailing list