[Bro] Fwd: Certificate extraction issue
Johanna Amann
johanna at icir.org
Fri Feb 2 09:21:07 PST 2018
Hi Timur,
> Hello, everybody
>
>
> I have a trouble I can't wrap my head around.
> I'm trying to extract SSL certificates from traffic and I have and event
> handler like this:
>
> ```
> event x509_certificate (f: fa_file, cert_ref: opaque of x509, cert:
> X509::Certificate) {
> local fileName = fmt("%s", current_time());
> print fileName;
> local fname = fmt("%s%s.%s", path, fileName, "pem");
> local args: Files::AnalyzerArgs = record($extract_filename=fname);
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT, args);
> }
> ```
>
> For some reason I don't understand Bro can't add Analyzer to my files and
> I'm not getting any files extracted
> ```
> 1517409279.894576 warning in
> /opt/bro/share/bro/base/frameworks/files/./main.bro, line 394: Analyzer
> Files::ANALYZER_EXTRACT not added successfully to file Fp4AgEzEtME36Nfl2.
> ```
Files::add_analyzer can only be called quite early - when all of the bytes
of the file are still buffered in the core; I think the last time this is
possible is the file_sniff event.
That being said, with certificates you have a few other options for saving
them to disk later. I would recommend looking at the
policy/protocols/ssl/extract-certs-pem.bro script that ships with Bro.
Johanna
More information about the Bro
mailing list