[Bro] &log cert_chain attribute (vector of Files::info) in ssl.log file

[Johanna Amann]

Hi,

yes, you are right, cert_chain can currently not be logged. The logging
framework is limited to fields that can be represented in ASCII columns;
hence only vectors of base-types can be logged. Files::info is not a base
type :).

What exactly do you want to log? The hashes?

In this case, the way to do this is to add an event handler that takes the
information in cert_chain, transforms it into a format that can be logged,
and writes it into another field. For example, if you want to log the
certificate hashes, you would go through the cert_chain, extract all
hashes, and then write them to a field of type vector of string, which can
be logged.

I hope this helps :)
 Johanna

On Tue, Mar 28, 2017 at 01:33:51PM -0400, Robert Harrelson wrote:
> &log cert_chain attribute (vector of Files::info) in ssl.log file.
> 
> I would like to list the server's chain of certificates in ssl.log (log of
> handshake data) alongside each handshake.
> 
> In ssl.log, the cert_chain attribute (certificate chain of the server) is
> not being logged, and is of type *vector of **Files::info*. When I tried to
> add "&log" attribute to cert_chain in files.bro, it gave an error that:
> 
> ".... cert_chain is of type that cannot be logged."
> 
> When I tried changing the type from *vector of Files::info* to *vector of
> string*, it sprang up some different errors since cert_chain is referenced
> as a *vector of Files::info* in other parts of files.bro script.
> 
> Please tell me how I can log the cert_chain attribute in ssl.log file.

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro