[Bro] &log cert_chain attribute (vector of Files::info) in ssl.log file
Johanna Amann
johanna at icir.org
Wed Apr 5 09:34:08 PDT 2017
Hi,
yes, you are right, cert_chain can currently not be logged. The logging
framework is limited to fields that can be represented in ASCII columns;
hence only vectors of base-types can be logged. Files::info is not a base
type :).
What exactly do you want to log? The hashes?
In this case, the way to do this is to add an event handler that takes the
information in cert_chain, transforms it into a format that can be logged,
and writes it into another field. For example, if you want to log the
certificate hashes, you would go through the cert_chain, extract all
hashes, and then write them to a field of type vector of string, which can
be logged.
I hope this helps :)
Johanna
On Tue, Mar 28, 2017 at 01:33:51PM -0400, Robert Harrelson wrote:
> &log cert_chain attribute (vector of Files::info) in ssl.log file.
>
> I would like to list the server's chain of certificates in ssl.log (log of
> handshake data) alongside each handshake.
>
> In ssl.log, the cert_chain attribute (certificate chain of the server) is
> not being logged, and is of type *vector of **Files::info*. When I tried to
> add "&log" attribute to cert_chain in files.bro, it gave an error that:
>
> ".... cert_chain is of type that cannot be logged."
>
> When I tried changing the type from *vector of Files::info* to *vector of
> string*, it sprang up some different errors since cert_chain is referenced
> as a *vector of Files::info* in other parts of files.bro script.
>
> Please tell me how I can log the cert_chain attribute in ssl.log file.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list