[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates

Fri, 06 Nov 2015 06:31:51 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22811#comment-22811
 ] 

Gavin Spearhead commented on BIT-1502:
--------------------------------------

Basically I installed the .deb package as on website, fiddled a bit with to 
configuration:
Using this for node.cfg
[bro]
type=standalone
host=localhost
interface=eth0

Tried disabling some bits and pieces in
/opt/bro/share/bro/site/local.bro
to no avail.

run
sudo broctl 
> install
> start

Bro takes about 19% cpu. 


zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes 
id.resp_h|grep face
0       2a03:2880:1010:df05:face:b00c:0:2
17578   2a03:2880:1010:df05:face:b00c:0:2
4488    2a03:2880:2040:7f01:face:b00c:0:1
2820    2a03:2880:11:1f04:face:b00c:0:1
4653    2a03:2880:1010:df05:face:b00c:0:2
4343    2a03:2880:1010:df05:face:b00c:0:2
77198   2a03:2880:f013:8:face:b00c:0:1
50374   2a03:2880:1010:df05:face:b00c:0:2
3198    2a03:2880:f022:b:face:b00c:0:3
0       2a03:2880:f022:b:face:b00c:0:3
124697  2a03:2880:f022:b:face:b00c:0:3
68810   2a03:2880:f022:b:face:b00c:0:3
21575   2a03:2880:1010:df05:face:b00c:0:2
0       2a03:2880:f013:8:face:b00c:0:1
146790  2a03:2880:f013:8:face:b00c:0:1
85210   2a03:2880:f013:8:face:b00c:0:1
77505   2a03:2880:1010:df05:face:b00c:0:2
0       2a03:2880:f012:8:face:b00c:0:1
433464  2a03:2880:f012:8:face:b00c:0:1
242946  2a03:2880:f012:8:face:b00c:0:1
55640   2a03:2880:1010:df05:face:b00c:0:2
237749  2a03:2880:f013:8:face:b00c:0:1
428592  2a03:2880:f013:8:face:b00c:0:1
93314   2a03:2880:1010:6f03:face:b00c:0:2

And for twitter

zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes 
id.resp_h|grep 199.16.156
14510   199.16.156.70
5477    199.16.156.8
2626    199.16.156.72
2625    199.16.156.8
0       199.16.156.8
0       199.16.156.199
0       199.16.156.72
1477    199.16.156.72
1752    199.16.156.198
2880    199.16.156.120
3025    199.16.156.9
1752    199.16.156.38
48034   199.16.156.38
7197    199.16.156.72
2625    199.16.156.8
0       199.16.156.72
0       199.16.156.104


> X509 doesn't log all certificates
> ---------------------------------
>
>                 Key: BIT-1502
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1502
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>         Environment: test setup
>            Reporter: Gavin Spearhead
>            Assignee: Johanna Amann
>              Labels: ssl
>             Fix For: 2.5
>
>
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS 
> connections. It seems however that not all certificates are logged in the 
> x509.log. (or in files.log). However the connections are visible in the 
> ssl.log. The setup is a basic install.  
> E.g. https://facebook.com and https://twitter.com are not logged, whereas 
> https://tweakers.net or https://api.twitter.com are logged. Is this a bug, 
> feature? Any idea how to ensure all the certificates are stored?



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to