[Bro] Gigamon issues
Michael Shirk
shirkdog.bsd at gmail.com
Mon Jun 4 11:50:44 PDT 2018
I thought Gigamon could only decrypt based on private keys it knew
about (not full SSL decryption of all traffic).
Is that how you are capturing this traffic?
On Mon, Jun 4, 2018 at 11:43 AM, Carl Rotenan <carlrotenan at gmail.com> wrote:
> Hello,
>
> I'm trying to extract files from traffic coming from a Gigamon box doing SSL
> decryption, but Bro doesn't seem to like or able to comprehend the data. I
> get the following entries in my weird.log file, does anyone have a Gigamon
> they are able to do this with or any ideas what the logs seem to indicate?
>
> Thanks,
>
> Carl
>
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path weird
> #open 2018-06-04-11-37-09
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
> #types time string addr port addr port string string bool string
> 1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> window_recision - F bro
> 1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_ack_underflow_or_misorder - bro
> 1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_seq_underflow_or_misorder - bro
> 1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> window_recision - F bro
> #close 2018-06-04-11-37-09
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com
More information about the Bro
mailing list