[Bro] expire-certs.bro can I get the expiry date too?
Seth Hall
seth at corelight.com
Mon Oct 30 17:15:50 PDT 2017
Oh, if you're just looking for when all certificates expire it sounds
like you want the "not_valid_before" and "not_valid_after" timestamps in
the x509 log. Is that what you wanted?
.Seth
On 30 Oct 2017, at 19:32, Ludwig Goon wrote:
> Does that only apply to the variable number of days before expiry? So
> for
> instance if it set to 30 days all of those will fire within the 30 day
> window. Whereas everything else outside of the window will not fire.
> So if
> we want every cert we detect to fire should we set it to 0 or to like
> to
> 3650 days? I may have answered my own question but still wanna get
> your
> reponse.
>
> On Mon, Oct 30, 2017 at 10:41 Seth Hall <seth at corelight.com> wrote:
>
>>
>>
>> On 29 Oct 2017, at 18:01, Ludwig Goon wrote:
>>
>>> Is there a way to also print in the notice.log the actual date the
>>> cert expires?
>>
>> If you're talking about the notice from the
>> policy/protocols/ssl/expiring-certs.bro then the date should already
>> be
>> in there. For the three notices that script defines, you should get
>> these messages...
>>
>> - fmt("Certificate %s isn't valid until %T", cert$subject,
>> cert$not_valid_before)
>> - fmt("Certificate %s expired at %T", cert$subject,
>> cert$not_valid_after),
>> - fmt("Certificate %s is going to expire at %T", cert$subject,
>> cert$not_valid_after),
>>
>> .Seth
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
>>
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171030/7ae7feb6/attachment.html
More information about the Bro
mailing list