[Bro] Invalid_Server_Cert entries in notice.log

Jeff Hammett jeff at jeffhammett.com
Sun Nov 2 21:00:22 PST 2014


I am seeing a lot of entries in notice.log for invalid SSL certs; SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)

These are for legitimate sites, that I think have valid SSL certs. When I go to the IP listed in a web browser they do indeed have valid certificates.

Is there any way to further verify that nothing strange is going on. And if everything is ok, is there a way suppress these warnings for sites that do have valid certs, so that if any users visit sites with self signed or otherwise invalid certificates they’ll stand out in the notice.log?

A few examples from notice.log:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2014-11-02-20-28-34
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
1414989068.580505	CyZhPK15RzCUnN7ura	192.168.1.143	49285	134.170.165.251	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=fe2.update.microsoft.com,OU=WUPDS,O=Microsoft,L=Redmond,ST=Washington,C=US	192.168.1.143	134.170.165.251	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414989315.341931	C1Ll1O381lfcKl4H3k	192.168.1.105	57151	17.158.52.16	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US	192.168.1.105	17.158.52.16	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414989316.321356	CHwvguxImPT6pSiU7	192.168.1.105	57152	17.158.52.77	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US	192.168.1.105	17.158.52.77	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414989495.154433	C6TtbD2IR6tOvyBEze	192.168.1.195	50506	72.32.45.19	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=giga.logs.roku.com,O=Roku\, Inc.,ST=California,C=US	192.168.1.195	72.32.45.19	443	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414989678.402401	C2uDCc4cE0Brc2GUV1	192.168.1.143	49387	184.180.124.10	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=MA,C=US	192.168.1.143	184.180.124.10	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414990083.832444	C4Z0274jeydu7rN8G1	192.168.1.105	57356	17.158.52.69	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US	192.168.1.105	17.158.52.69	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
1414990161.080209	CKVmf6WV0KGxfT3T7	192.168.1.105	57369	17.158.52.68	443	-	-	-	tcp	SSL::Invalid_Server_Cert	SSL certificate validation failed with (unable to get local issuer certificate)	CN=*.icloud.com,O=Apple Inc.,L=Cupertino,ST=California,C=US	192.168.1.105	17.158.52.68	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-


--
Jeff Hammett






More information about the Bro mailing list