[Bro] Why am I seeing SSL "files" in my files.log?

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Thu Jan 29 12:07:10 PST 2015 

Dear all,

I've been looking at my files.log file and I'm seeing a lot of logged
transfers for source=SSL.

root at appliance:/usr/local/bro/logs# cat current/files.log  | grep -i ssl |
head
1422561677.508576       FmK9Jn1by8UfJ7Uk6c      216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       1737    -       0       0       F       -
  04805888dbfa26c78e52f8860be4a776
 43ae5511994a4d13b2b1e8b013bff7196c5645d2  -       -
1422561677.508576       FrcIKka3GRTlXwCYk       216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       1012    -       0       0       F       -
  46f1bf2f24dd3aa9cfd760a3bade5ec7
 bbdce13e9d537a5229915cb123c7aab0a855e798  -       -
1422561677.508576       FEuCUs4oRjvbJIPB68      216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       897     -       0       0       F       -
  2e7db2a31d0e3da4b25f49b9542a2e1a
 7359755c6df9a0abc3060bce369564c8ec4542a3  -       -
1422561677.588403       FKhNYN30aqixQTq0ya      216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       1737    -       0       0       F       -
  04805888dbfa26c78e52f8860be4a776
 43ae5511994a4d13b2b1e8b013bff7196c5645d2  -       -
1422561677.588403       F6KI5g2pFla0x2h4w4      216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       1012    -       0       0       F       -
  46f1bf2f24dd3aa9cfd760a3bade5ec7
 bbdce13e9d537a5229915cb123c7aab0a855e798  -       -
1422561677.588403       FMD4Yq4JDMdG7dTnC6      216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
    -0.000000 F       F       897     -       0       0       F       -
  2e7db2a31d0e3da4b25f49b9542a2e1a
 7359755c6df9a0abc3060bce369564c8ec4542a3  -       -
1422561680.734060       F6kS0Y3B6xPUSr5bQ3      54.244.242.173
 192.168.200.227 C2s8C31rDqouwSyREj      SSL     0       X509,MD5,SHA1   -
      -0.000000 F       F       931     -       0       0       F       -
    591c402fa2cbf8279323e5336dfe78e2
 37c4666a6fb5535e01a113f5a25c7ae2b7d942c5  -       -
1422561681.173742       FU1DBs1wCoSQhuW2O3      54.203.249.201
 192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
      -0.000000 F       F       1362    -       0       0       F       -
    1595a86ed4570a4804ccb459ba49c710
 be032d527dcc970b2cb056c953036b3dac6d299f  -       -
1422561681.173742       FnauTv4UWVVeIEhKfb      54.203.249.201
 192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
      -0.000000 F       F       1433    -       0       0       F       -
    f9a20bda18c130a3dd2c9300646baa70
 12c9b291d19d3632d44f1069551c46490aea0542  -       -
1422561681.173742       FJLfsb48MeGcQiiID5      54.203.249.201
 192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
      -0.000000 F       F       1087    -       0       0       F       -
    d9e1f5ce2bf6982005dc6d95aa9f9875
 20ee1b7a0dbae0cf16f5a6327fc4ae1cef25f12c  -       -
root at appliance:/usr/local/bro/logs#

What are these? Are these ssl certificates that are being transferred?

Thank you,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/bc5df61b/attachment.html

More information about the Bro mailing list