[Bro] Log serial number in ssl.log

Azoff, Justin S jazoff at illinois.edu
Wed Mar 29 13:29:07 PDT 2017


> On Mar 29, 2017, at 4:20 PM, Robert Harrelson <bobharrelsons at gmail.com> wrote:
> 
> How do I log the serial number of the certificate in ssl.log?
> 
> I tried to perform this in protocols/ssl/files.bro file at the event ssl_established(), but this event is almost never called. This means that issuer and subject also almost never get logged.
> 
> Is this because the handshake happens at line speed, but the certificate does not get processed as fast, so the certificate details are almost never available to Bro when it logs the handshake data in ssl.log?
> 
> Thanks,
> 
> Robert

It sounds like your bro installation is not functioning properly.  ssl_established is raised on every ssl connection and includes all of the information about the handshake.

What does the ssl.log and conn.log entry look like for one of the ssl connections that is missing the issuer and subject fields?

-- 
- Justin Azoff





More information about the Bro mailing list