[Bro] More crypto ID
James Lay
jlay at slave-tothe-box.net
Fri Jul 8 13:30:57 PDT 2016
Argh...yea you're right wrong stream. I am including a QUIC crypto
session that bro does not seem to recognize. Only thing I have for bro
seeing this stream is:
2016-07-02T14:46:30-0600 CWaKhQ3UAvIEem73fj 192.168.1.101
38848 31.13.76.102 443 tcp - 0.026353 1725
0 RSTR TF 0 ShADar 5 1993 5 268
(empty)
Thank you.
James
On 2016-07-08 14:21, Johanna Amann wrote:
> Hello James,
>
> it is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and should be
> correctly identified by master. The use of that number is newer than
> Bro 2.4, which is why it is not present there. That cipher is
> specified in RFC7905.
>
> Thanks,
> Johanna
>
> On 8 Jul 2016, at 13:13, James Lay wrote:
>
>> FYI:
>>
>> 2016-07-01T12:35:15-0600 CyqleS3tHf607yRdrj 192.168.1.101
>> 38151 31.13.76.102 443 TLSv12 unknown-52393 -
>> graph.facebook.com F- h2 T
>> Fq3gsi3bxz1RdtYqej,FiQmMNkbUAqhiOOkk (empty)
>> CN=*.facebook.com,O=Facebook\\, Inc.,L=Menlo Park,ST=CA,C=US
>> CN=DigiCert SHA2 High Assurance Server
>> CA,OU=www.digicert.com,O=DigiCert
>> Inc,C=US - - ok
>>
>> unkonwn-52393 is apparently QUIC crypto.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 3548 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160708/a035314f/attachment-0001.obj
More information about the Bro
mailing list