[Bro] Why am I seeing SSL "files" in my files.log?
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Thu Jan 29 12:07:10 PST 2015
Dear all,
I've been looking at my files.log file and I'm seeing a lot of logged
transfers for source=SSL.
root at appliance:/usr/local/bro/logs# cat current/files.log | grep -i ssl |
head
1422561677.508576 FmK9Jn1by8UfJ7Uk6c 216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1737 - 0 0 F -
04805888dbfa26c78e52f8860be4a776
43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
1422561677.508576 FrcIKka3GRTlXwCYk 216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1012 - 0 0 F -
46f1bf2f24dd3aa9cfd760a3bade5ec7
bbdce13e9d537a5229915cb123c7aab0a855e798 - -
1422561677.508576 FEuCUs4oRjvbJIPB68 216.58.217.46
192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
-0.000000 F F 897 - 0 0 F -
2e7db2a31d0e3da4b25f49b9542a2e1a
7359755c6df9a0abc3060bce369564c8ec4542a3 - -
1422561677.588403 FKhNYN30aqixQTq0ya 216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1737 - 0 0 F -
04805888dbfa26c78e52f8860be4a776
43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
1422561677.588403 F6KI5g2pFla0x2h4w4 216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1012 - 0 0 F -
46f1bf2f24dd3aa9cfd760a3bade5ec7
bbdce13e9d537a5229915cb123c7aab0a855e798 - -
1422561677.588403 FMD4Yq4JDMdG7dTnC6 216.58.217.14
192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
-0.000000 F F 897 - 0 0 F -
2e7db2a31d0e3da4b25f49b9542a2e1a
7359755c6df9a0abc3060bce369564c8ec4542a3 - -
1422561680.734060 F6kS0Y3B6xPUSr5bQ3 54.244.242.173
192.168.200.227 C2s8C31rDqouwSyREj SSL 0 X509,MD5,SHA1 -
-0.000000 F F 931 - 0 0 F -
591c402fa2cbf8279323e5336dfe78e2
37c4666a6fb5535e01a113f5a25c7ae2b7d942c5 - -
1422561681.173742 FU1DBs1wCoSQhuW2O3 54.203.249.201
192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1362 - 0 0 F -
1595a86ed4570a4804ccb459ba49c710
be032d527dcc970b2cb056c953036b3dac6d299f - -
1422561681.173742 FnauTv4UWVVeIEhKfb 54.203.249.201
192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1433 - 0 0 F -
f9a20bda18c130a3dd2c9300646baa70
12c9b291d19d3632d44f1069551c46490aea0542 - -
1422561681.173742 FJLfsb48MeGcQiiID5 54.203.249.201
192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
-0.000000 F F 1087 - 0 0 F -
d9e1f5ce2bf6982005dc6d95aa9f9875
20ee1b7a0dbae0cf16f5a6327fc4ae1cef25f12c - -
root at appliance:/usr/local/bro/logs#
What are these? Are these ssl certificates that are being transferred?
Thank you,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/bc5df61b/attachment.html
More information about the Bro
mailing list