[Bro] Gigamon issues

Carl Rotenan carlrotenan at gmail.com
Mon Jun 4 16:54:00 PDT 2018 

It installs a common and trusted by the browser SSL cert and acts as a man
in the middle, decrypting and re-encrypting to the destination.

On Mon, Jun 4, 2018 at 2:50 PM, Michael Shirk <shirkdog.bsd at gmail.com>
wrote:

> I thought Gigamon could only decrypt based on private keys it knew
> about (not full SSL decryption of all traffic).
>
> Is that how you are capturing this traffic?
>
>
>
> On Mon, Jun 4, 2018 at 11:43 AM, Carl Rotenan <carlrotenan at gmail.com>
> wrote:
> > Hello,
> >
> > I'm trying to extract files from traffic coming from a Gigamon box doing
> SSL
> > decryption, but Bro doesn't seem to like or able to comprehend the data.
> I
> > get the following entries in my weird.log file, does anyone have a
> Gigamon
> > they are able to do this with or any ideas what the logs seem to
> indicate?
> >
> > Thanks,
> >
> > Carl
> >
> > #separator \x09
> > #set_separator ,
> > #empty_field (empty)
> > #unset_field -
> > #path weird
> > #open 2018-06-04-11-37-09
> > #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice
> peer
> > #types time string addr port addr port string string bool string
> > 1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> > SYN_seq_jump - F bro
> > 1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> > window_recision - F bro
> > 1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> > SYN_seq_jump - F bro
> > 1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> > TCP_ack_underflow_or_misorder - bro
> > 1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> > TCP_seq_underflow_or_misorder - bro
> > 1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> > SYN_seq_jump - F bro
> > 1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> > window_recision - F bro
> > #close 2018-06-04-11-37-09
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180604/5d7dbefe/attachment.html

More information about the Bro mailing list