[Bro] SSL Events not being triggered

Shaanan Cohney shaananc at hotmail.com
Thu Jun 22 01:47:56 PDT 2017 

Still encountering the problem with another pcap.

Sorry for the extra message!

Any ideas?
________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Shaanan Cohney <shaananc at hotmail.com>
Sent: Thursday, June 22, 2017 4:29:07 AM
To: bro at bro.org
Subject: Re: [Bro] SSL Events not being triggered


Solved it after a while.


All the pcaps I was using had invalid checksums.


If anyone comes across this thread with the same problem see https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

Frequently Asked Questions - Bro<https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums>
www.bro.org
What is Bro? Bro provides a comprehensive platform for network traffic analysis, with a particular focus on semantic security monitoring at scale.




Thanks!

________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Shaanan Cohney <shaananc at hotmail.com>
Sent: Thursday, June 22, 2017 3:42:01 AM
To: bro at bro.org
Subject: [Bro] SSL Events not being triggered


I am having trouble getting any SSL events to trigger.


I've tested scripts against the snakeoil pcap from the wireshark sample pages, as well as my own data.


I've also tried scripts ranging from the one I actually plan to use, along with a few barebones ones.


When I use the -d flag and break on an connection I can see port 443 in the four tuple, but the SSL field remains uninitialized.


Here's a sample of something I tried


event bro_init(){
        #Analyzer::enable_analyzer(Analyzer::ANALYZER_SSL);
        #Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 443/tcp);
}


event ssl_established(c: connection) &priority=3 {
      print c;
}

I've also tried my own compiled version of bro, and the apt package on the latest version of ubuntu.

I'm running bro as follows

bro -r a.pcap ./nameofscript.bro

Any help would be much appreciated!

Thanks,
snc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170622/7a398afd/attachment-0001.html

More information about the Bro mailing list