[Bro] Writing to SSL log

Azoff, Justin S jazoff at illinois.edu
Thu Sep 13 10:50:04 PDT 2018


> On Sep 13, 2018, at 1:31 PM, Neslog <neslog at gmail.com> wrote:
> 
> I've extended the SSL log with 2 fields.
> 
> redef record SSL::Info += {
>     foo: int &log &optional;
>     bar: string &log &optional;
> };
> 
> 
> I'm trying to set the values win the "connection_state_remove" event with the following.
> 
> event connection_state_remove(c: connection) {
>   c$ssl$foo = 1;
>   c$ssl$bar = "TEST";
> }
> 
> ssl.log shows the fields in the #fields line but the fields remain "-".  I've tried messing with the priority level but it's not working.  Something else going on here?

That works for most things, but the ssl log is primarily written to at the end of the ssl negotiation, not the end of the connection.

if you look in scripts/base/protocols/ssl/main.bro you see that the ssl log is written to by the log_record / finish helper functions, which are called from:

ssl_established, connection_state_remove(if not already logged!), and protocol_violation so in your case, what could work is

event ssl_established(c: connection) {
  c$ssl$foo = 1;
  c$ssl$bar = "TEST";
}
 
However, The ssl script also has this feature:

    # Hook that can be used to perform actions right before the log record
    # is written.
    global ssl_finishing: hook(c: connection);

So to ensure you catch everything and run at the right time, this will work even better:

hook ssl_finishing(c: connection) {
  c$ssl$foo = 1;
  c$ssl$bar = "TEST";
}


— 
Justin Azoff




More information about the Bro mailing list