X509 doesn't log all certificates

Description

I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install.

E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored?

Environment

test setup

Activity

Show:
Seth Hall
December 2, 2015, 3:08 PM

I'm going to close this ticket since it's now working for you and we're unable to reproduce your problem.

Gavin Spearhead
November 25, 2015, 10:56 PM

Adding it seems to give much better results. Thanx

Gavin Spearhead
November 25, 2015, 10:52 PM

I guess not. It's started through broctl

bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto
/opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto

Seth Hall
November 25, 2015, 2:42 PM

Gavin, are you using the -C command line option when you run Bro on the packets on the command line?

Cannot Reproduce

Assignee

Unassigned

Reporter

Gavin Spearhead

Labels

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal