[Bro] expire-certs.bro can I get the expiry date too?
Ludwig Goon
lagoon7 at gmail.com
Mon Oct 30 16:32:46 PDT 2017
Does that only apply to the variable number of days before expiry? So for
instance if it set to 30 days all of those will fire within the 30 day
window. Whereas everything else outside of the window will not fire. So if
we want every cert we detect to fire should we set it to 0 or to like to
3650 days? I may have answered my own question but still wanna get your
reponse.
On Mon, Oct 30, 2017 at 10:41 Seth Hall <seth at corelight.com> wrote:
>
>
> On 29 Oct 2017, at 18:01, Ludwig Goon wrote:
>
> > Is there a way to also print in the notice.log the actual date the
> > cert expires?
>
> If you're talking about the notice from the
> policy/protocols/ssl/expiring-certs.bro then the date should already be
> in there. For the three notices that script defines, you should get
> these messages...
>
> - fmt("Certificate %s isn't valid until %T", cert$subject,
> cert$not_valid_before)
> - fmt("Certificate %s expired at %T", cert$subject,
> cert$not_valid_after),
> - fmt("Certificate %s is going to expire at %T", cert$subject,
> cert$not_valid_after),
>
> .Seth
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171030/a69bbc2b/attachment.html
More information about the Bro
mailing list