during the SSL/TLS session establishment. It's a pretty short script, but it still has a configuration option. :)
The default setting is to log certificates of local hosts, to change that to log all certificates...
redef SSL_KnownCerts::logged_hosts = AllHosts;When this script really becomes cool is when you have DPD enabled (i'll write a post on how to do that soon). If DPD is enabled, you will actually be detecting SSL on all ports and then logging the X.509 certificate in the log just the same as SSL on the normal ports like 443/tcp and 995/tcp.
Here are some examples of the log lines seen in the ssl-known-certs.log file. (the wrapping is horrible, but you get the idea)
209.85.133.19 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.comThose fields are tab separated too, so they're nice and easy to parse. More tomorrow hopefully!
209.85.133.189 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.mail.google.com
209.85.159.97 443 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google-analytics.com
140.254.54.134 443 /C=US/postalCode=43210/ST=OH/L=Columbus/streetAddress=250 West Woodruff Avenue/O=The Ohio State University/OU=Office of Information Technology/OU=Hosted by The Ohio State University/OU=Comodo PremiumSSL Wildcard/CN=*.osu.edu
Update: I forgot to give a link to the file. ssl-known-certs.bro
Posts
1 comment:
I just finished up reading your blog the first time so I thought I should comment to let you know your stuff is great.
SSL certificates can provide you with non-forgeable proof of your website's identity, and customer confidence in the integrity and security of your online business.
Post a Comment