[Bro] Log all client cipher suites

Johanna Amann johanna at icir.org
Sun Jan 18 10:02:18 PST 2015


Hello Daniel,

On Sun, Jan 18, 2015 at 05:12:51PM +0000, Harrison, Daniel (US SSA) wrote:
> I am trying to write a script to log all client_hello cipher suites to the
> ssl log, preferably in the ascii hex format as they look in the pcap. I
> hacked up a similar script and got it to create the log entry but the column
> shows only (empty). Any idea on how to do this? Thanks.

The reason your script does not work at the moment is, that you only
assigned an empty vector in the ssl_client_hello event without passing it
the actual data.

I modified it slightly below to just dump the raw number of all client
ciphers, converted into hex, into the log. Note that it drops 0's in the
front.

I hope this helps,
 Johanna

----

@load base/protocols/ssl/main

module SSL;

export {
	redef record Info += {
		ciphers:  vector of string &log &optional;
	};

	## A boolean value to determine if client headers are to be logged.
	const log_ciphers = T &redef;
}


event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
{
	if ( ! c?$ssl )
		return;


	if ( log_ciphers )
		{
		c$ssl$ciphers = vector();
		for ( i in ciphers )
			c$ssl$ciphers[i] = fmt("%x", ciphers[i]);
		}
}



More information about the Bro mailing list