X509 doesn't log all certificates

Description

I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.

E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?

Environment

test setup

Activity

Show:
Seth Hall
December 2, 2015, 3:08 PM

I'm going to close this ticket since it's now working for you and we're unable to reproduce your problem.

Gavin Spearhead
November 25, 2015, 10:56 PM

Adding it seems to give much better results. Thanx

Gavin Spearhead
November 25, 2015, 10:52 PM

I guess not. It's started through broctl

bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

Seth Hall
November 25, 2015, 2:42 PM

Gavin, are you using the -C command line option when you run Bro on the packets on the command line?

Gavin Spearhead
November 24, 2015, 11:20 PM

The machine is just my workstation. Bro is running on a live capture. It's not particularly busy, nor is there really a lot of traffic actually it's just browsing. There is no ratelimiting. I've been running tcpdump and wireshark as well and it doesn't look like there is anything missing. I ran a tcpdump for a bit and pulled it through bro, then everything just works fine.

.cmdline says
-i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

I don't see anything particularly interesting in the logs. apart from send-mail: SENDMAIL-NOTFOUND not found

Cannot Reproduce

Assignee

Unassigned

Reporter

Gavin Spearhead

Labels

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal