[Bro] Why am I seeing SSL "files" in my files.log?

Liam Randall liam.randall at gmail.com
Thu Jan 29 12:22:21 PST 2015


These are the x509 Certificates that are exchanges as a part of the SSL/TLS
handshake.  The "X509, MD5, SHA1" indicates that three file analyzers were
attached to the file.  For further details on information extracted from
the cert pivot, using the file id to the x509.log.

I think in a default configuration of Bro you'll see that only the host
certificate is loaded (client and server); that behavior can be modified:
https://www.bro.org/sphinx/_downloads/log-hostcerts-only.bro

Thanks,

Liam



On Thu, Jan 29, 2015 at 3:07 PM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:

> Dear all,
>
> I've been looking at my files.log file and I'm seeing a lot of logged
> transfers for source=SSL.
>
> root at appliance:/usr/local/bro/logs# cat current/files.log  | grep -i ssl
> | head
> 1422561677.508576       FmK9Jn1by8UfJ7Uk6c      216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       1737    -       0       0       F       -
>   04805888dbfa26c78e52f8860be4a776
>  43ae5511994a4d13b2b1e8b013bff7196c5645d2  -       -
> 1422561677.508576       FrcIKka3GRTlXwCYk       216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       1012    -       0       0       F       -
>   46f1bf2f24dd3aa9cfd760a3bade5ec7
>  bbdce13e9d537a5229915cb123c7aab0a855e798  -       -
> 1422561677.508576       FEuCUs4oRjvbJIPB68      216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       897     -       0       0       F       -
>   2e7db2a31d0e3da4b25f49b9542a2e1a
>  7359755c6df9a0abc3060bce369564c8ec4542a3  -       -
> 1422561677.588403       FKhNYN30aqixQTq0ya      216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       1737    -       0       0       F       -
>   04805888dbfa26c78e52f8860be4a776
>  43ae5511994a4d13b2b1e8b013bff7196c5645d2  -       -
> 1422561677.588403       F6KI5g2pFla0x2h4w4      216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       1012    -       0       0       F       -
>   46f1bf2f24dd3aa9cfd760a3bade5ec7
>  bbdce13e9d537a5229915cb123c7aab0a855e798  -       -
> 1422561677.588403       FMD4Yq4JDMdG7dTnC6      216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h      SSL     0       X509,MD5,SHA1   -
>     -0.000000 F       F       897     -       0       0       F       -
>   2e7db2a31d0e3da4b25f49b9542a2e1a
>  7359755c6df9a0abc3060bce369564c8ec4542a3  -       -
> 1422561680.734060       F6kS0Y3B6xPUSr5bQ3      54.244.242.173
>  192.168.200.227 C2s8C31rDqouwSyREj      SSL     0       X509,MD5,SHA1   -
>       -0.000000 F       F       931     -       0       0       F       -
>     591c402fa2cbf8279323e5336dfe78e2
>  37c4666a6fb5535e01a113f5a25c7ae2b7d942c5  -       -
> 1422561681.173742       FU1DBs1wCoSQhuW2O3      54.203.249.201
>  192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
>       -0.000000 F       F       1362    -       0       0       F       -
>     1595a86ed4570a4804ccb459ba49c710
>  be032d527dcc970b2cb056c953036b3dac6d299f  -       -
> 1422561681.173742       FnauTv4UWVVeIEhKfb      54.203.249.201
>  192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
>       -0.000000 F       F       1433    -       0       0       F       -
>     f9a20bda18c130a3dd2c9300646baa70
>  12c9b291d19d3632d44f1069551c46490aea0542  -       -
> 1422561681.173742       FJLfsb48MeGcQiiID5      54.203.249.201
>  192.168.200.227 CIJSA81yUj2OZ3Zec       SSL     0       X509,MD5,SHA1   -
>       -0.000000 F       F       1087    -       0       0       F       -
>     d9e1f5ce2bf6982005dc6d95aa9f9875
>  20ee1b7a0dbae0cf16f5a6327fc4ae1cef25f12c  -       -
> root at appliance:/usr/local/bro/logs#
>
> What are these? Are these ssl certificates that are being transferred?
>
> Thank you,
> Luis
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/e586025a/attachment.html 


More information about the Bro mailing list