[Bro] Log all client cipher suites

Harrison, Daniel (US SSA) daniel.harrison4 at baesystems.com
Sun Jan 18 09:12:51 PST 2015


I am trying to write a script to log all client_hello cipher suites to the
ssl log, preferably in the ascii hex format as they look in the pcap. I
hacked up a similar script and got it to create the log entry but the column
shows only (empty). Any idea on how to do this? Thanks.

 

******************************

 

@load base/protocols/ssl/main

module SSL;

 

export {

                redef record Info += {

                                ciphers:  vector of string &log &optional;

                };

                ## A boolean value to determine if client headers are to be
logged.

                const log_ciphers = T &redef;

}

event ssl_client_hello(c: connection, version: count, possible_ts: time,
client_random: string, session_id: string, ciphers: index_vec)

                {

                if ( ! c?$ssl )

                                return;

                                if ( log_ciphers )

                                                {

 
c$ssl$ciphers = vector();

                                                }

}

 

******************************

 

 

 

 

 

 

Scott Harrison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/110b5cf7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6727 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/110b5cf7/attachment-0001.bin 


More information about the Bro mailing list