[
https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23006#comment-23006
]
Johanna Amann commented on BIT-1502:
------------------------------------
Ok, it is really difficult to see what exactly is going on here - but
basically, Bro is not seeing all bytes in the connections (and hence can not
decode the TLS sessions). Which is probably actually a different underlying
problem that has not much to do with Bro (which only uses libpcap to get
traffic from eth0 in your case).
How exactly are you replaying the traffic? Is it replayed from a different
machine? Are you employing some kind of rate limiting, or is it simply sent at
the full speed the interface is capable of? Could you potentially try just
replaying your traffic while running tcpdump on the receiving side, to see if
tcpdump misses packets too?
> X509 doesn't log all certificates
> ---------------------------------
>
> Key: BIT-1502
> URL: https://bro-tracker.atlassian.net/browse/BIT-1502
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.4
> Environment: test setup
> Reporter: Gavin Spearhead
> Assignee: Johanna Amann
> Labels: ssl
> Fix For: 2.5
>
>
> I'm trying to use bro to log all X509 certificate information for SSL / HTTPS
> connections. It seems however that not all certificates are logged in the
> x509.log. (or in files.log). However the connections are visible in the
> ssl.log. The setup is a basic install.
> E.g. https://facebook.com and https://twitter.com are not logged, whereas
> https://tweakers.net or https://api.twitter.com are logged. Is this a bug,
> feature? Any idea how to ensure all the certificates are stored?
--
This message was sent by Atlassian JIRA
(v7.1.0-OD-01-053#71000)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
