[Bro] Log all client cipher suites

Harrison, Daniel (US SSA) daniel.harrison4 at baesystems.com
Mon Jan 19 14:40:23 PST 2015 

That worked, thanks. I changed the format to add leading zeros for the 2
byte ciphers but that doesn't take into account the 3byte ones. 
Is there an easy way to keep the leading zeros in the hex no matter the
length?

@load base/protocols/ssl/main
module SSL;
export {
	redef record Info += {
		ciphers:  vector of string &log &optional;
	};
	## A boolean value to determine if client headers are to be logged.
	const log_ciphers = T &redef;
}
event ssl_client_hello(c: connection, version: count, possible_ts: time,
client_random: string, session_id: string, ciphers: index_vec) {
	if ( ! c?$ssl )
		return;
	if ( log_ciphers )
		{
		c$ssl$ciphers = vector();
		for ( i in ciphers )
			c$ssl$ciphers[i] = fmt("%04x", ciphers[i]);
		}
}

-----Original Message-----
From: Johanna Amann [mailto:johanna at icir.org] 
Sent: Sunday, January 18, 2015 1:02 PM
To: Harrison, Daniel (US SSA)
Cc: bro at bro.org
Subject: Re: [Bro] Log all client cipher suites

Hello Daniel,

On Sun, Jan 18, 2015 at 05:12:51PM +0000, Harrison, Daniel (US SSA) wrote:
> I am trying to write a script to log all client_hello cipher suites to 
> the ssl log, preferably in the ascii hex format as they look in the 
> pcap. I hacked up a similar script and got it to create the log entry 
> but the column shows only (empty). Any idea on how to do this? Thanks.

The reason your script does not work at the moment is, that you only
assigned an empty vector in the ssl_client_hello event without passing it
the actual data.

I modified it slightly below to just dump the raw number of all client
ciphers, converted into hex, into the log. Note that it drops 0's in the
front.

I hope this helps,
 Johanna

----

@load base/protocols/ssl/main

module SSL;

export {
	redef record Info += {
		ciphers:  vector of string &log &optional;
	};

	## A boolean value to determine if client headers are to be logged.
	const log_ciphers = T &redef;
}


event ssl_client_hello(c: connection, version: count, possible_ts: time,
client_random: string, session_id: string, ciphers: index_vec) {
	if ( ! c?$ssl )
		return;


	if ( log_ciphers )
		{
		c$ssl$ciphers = vector();
		for ( i in ciphers )
			c$ssl$ciphers[i] = fmt("%x", ciphers[i]);
		}
}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6727 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150119/21039f73/attachment.bin

More information about the Bro mailing list