[Bro] Writing to SSL log

Neslog neslog at gmail.com
Thu Sep 13 12:46:24 PDT 2018 

Justin, thanks!  I remember having to use a different before to log it.  I
loaded up ssl and the following script but it's not firing off.

test.bro:

hook ssl_finishing(c: connection) {
  print "SSL Finishing Event!";
}

Is there much of a delay for this to execute?



On Thu, Sep 13, 2018 at 1:50 PM Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Sep 13, 2018, at 1:31 PM, Neslog <neslog at gmail.com> wrote:
> >
> > I've extended the SSL log with 2 fields.
> >
> > redef record SSL::Info += {
> >     foo: int &log &optional;
> >     bar: string &log &optional;
> > };
> >
> >
> > I'm trying to set the values win the "connection_state_remove" event
> with the following.
> >
> > event connection_state_remove(c: connection) {
> >   c$ssl$foo = 1;
> >   c$ssl$bar = "TEST";
> > }
> >
> > ssl.log shows the fields in the #fields line but the fields remain "-".
> I've tried messing with the priority level but it's not working.  Something
> else going on here?
>
> That works for most things, but the ssl log is primarily written to at the
> end of the ssl negotiation, not the end of the connection.
>
> if you look in scripts/base/protocols/ssl/main.bro you see that the ssl
> log is written to by the log_record / finish helper functions, which are
> called from:
>
> ssl_established, connection_state_remove(if not already logged!), and
> protocol_violation so in your case, what could work is
>
> event ssl_established(c: connection) {
>   c$ssl$foo = 1;
>   c$ssl$bar = "TEST";
> }
>
> However, The ssl script also has this feature:
>
>     # Hook that can be used to perform actions right before the log record
>     # is written.
>     global ssl_finishing: hook(c: connection);
>
> So to ensure you catch everything and run at the right time, this will
> work even better:
>
> hook ssl_finishing(c: connection) {
>   c$ssl$foo = 1;
>   c$ssl$bar = "TEST";
> }
>
>
>> Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/e33beac3/attachment.html

More information about the Bro mailing list