[Bro] Why am I seeing SSL "files" in my files.log?
Liam Randall
liam.randall at gmail.com
Thu Jan 29 12:22:21 PST 2015
These are the x509 Certificates that are exchanges as a part of the SSL/TLS
handshake. The "X509, MD5, SHA1" indicates that three file analyzers were
attached to the file. For further details on information extracted from
the cert pivot, using the file id to the x509.log.
I think in a default configuration of Bro you'll see that only the host
certificate is loaded (client and server); that behavior can be modified:
https://www.bro.org/sphinx/_downloads/log-hostcerts-only.bro
Thanks,
Liam
On Thu, Jan 29, 2015 at 3:07 PM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:
> Dear all,
>
> I've been looking at my files.log file and I'm seeing a lot of logged
> transfers for source=SSL.
>
> root at appliance:/usr/local/bro/logs# cat current/files.log | grep -i ssl
> | head
> 1422561677.508576 FmK9Jn1by8UfJ7Uk6c 216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1737 - 0 0 F -
> 04805888dbfa26c78e52f8860be4a776
> 43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
> 1422561677.508576 FrcIKka3GRTlXwCYk 216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1012 - 0 0 F -
> 46f1bf2f24dd3aa9cfd760a3bade5ec7
> bbdce13e9d537a5229915cb123c7aab0a855e798 - -
> 1422561677.508576 FEuCUs4oRjvbJIPB68 216.58.217.46
> 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 897 - 0 0 F -
> 2e7db2a31d0e3da4b25f49b9542a2e1a
> 7359755c6df9a0abc3060bce369564c8ec4542a3 - -
> 1422561677.588403 FKhNYN30aqixQTq0ya 216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1737 - 0 0 F -
> 04805888dbfa26c78e52f8860be4a776
> 43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
> 1422561677.588403 F6KI5g2pFla0x2h4w4 216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1012 - 0 0 F -
> 46f1bf2f24dd3aa9cfd760a3bade5ec7
> bbdce13e9d537a5229915cb123c7aab0a855e798 - -
> 1422561677.588403 FMD4Yq4JDMdG7dTnC6 216.58.217.14
> 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 897 - 0 0 F -
> 2e7db2a31d0e3da4b25f49b9542a2e1a
> 7359755c6df9a0abc3060bce369564c8ec4542a3 - -
> 1422561680.734060 F6kS0Y3B6xPUSr5bQ3 54.244.242.173
> 192.168.200.227 C2s8C31rDqouwSyREj SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 931 - 0 0 F -
> 591c402fa2cbf8279323e5336dfe78e2
> 37c4666a6fb5535e01a113f5a25c7ae2b7d942c5 - -
> 1422561681.173742 FU1DBs1wCoSQhuW2O3 54.203.249.201
> 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1362 - 0 0 F -
> 1595a86ed4570a4804ccb459ba49c710
> be032d527dcc970b2cb056c953036b3dac6d299f - -
> 1422561681.173742 FnauTv4UWVVeIEhKfb 54.203.249.201
> 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1433 - 0 0 F -
> f9a20bda18c130a3dd2c9300646baa70
> 12c9b291d19d3632d44f1069551c46490aea0542 - -
> 1422561681.173742 FJLfsb48MeGcQiiID5 54.203.249.201
> 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 -
> -0.000000 F F 1087 - 0 0 F -
> d9e1f5ce2bf6982005dc6d95aa9f9875
> 20ee1b7a0dbae0cf16f5a6327fc4ae1cef25f12c - -
> root at appliance:/usr/local/bro/logs#
>
> What are these? Are these ssl certificates that are being transferred?
>
> Thank you,
> Luis
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/e586025a/attachment.html
More information about the Bro
mailing list