[Bro] More crypto ID
Johanna Amann
johanna at icir.org
Fri Jul 8 13:21:21 PDT 2016
Hello James,
it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be
correctly identified by master. The use of that number is newer than Bro
2.4, which is why it is not present there. That cipher is specified in
RFC7905.
Thanks,
Johanna
On 8 Jul 2016, at 13:13, James Lay wrote:
> FYI:
>
> 2016-07-01T12:35:15-0600 CyqleS3tHf607yRdrj 192.168.1.101
> 38151 31.13.76.102 443 TLSv12 unknown-52393 -
> graph.facebook.com F- h2 T
> Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk (empty)
> CN=*.facebook.com,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US
> CN=DigiCert SHA2 High Assurance Server
> CA,OU=www.digicert.com,O=DigiCert
> Inc,C=US - - ok
>
> unkonwn-52393 is apparently QUIC crypto.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list