Next: , Previous: ssl_connection_info record, Up: SSL Analyzer



7.23.3 SSL variables

The standard script defines the following redefinable variables:

ssl_compare_cipherspecs : bool
If true, remember the client and server cipher specs and perform additional tests. This costs an extra amount of memory (normally only for a short time) but enables detection of non-intersecting cipher sets, for example.

Default: T.

ssl_analyze_certificates : bool
If true, analyze certificates seen in SSL connections, which includes the following steps:

Default: T.

ssl_store_certificates : bool
If certificates are analyzed, this variable determines they should be stored on disk.

Default: T.

ssl_store_cert_path : string
Path where certificates are stored. If empty, use the current directory. Note: The path must not end with a slash!

Default: "../certs".

ssl_verify_certificates : bool
If certificates are analyzed, wheter to verify them.

Default: T.

x509_trusted_cert_path : string
Path where OpenSSL looks for trusted certificates. If empty, use the default OpenSSL path.

Default: "".

ssl_max_cipherspec_size : count
Maximum size in bytes for an SSL cipherspec. If we see attempted use of larger cipherspecs, warn and skip comparing it.

Default: 45.

ssl_store_key_material : bool
If true, stores key material exchanged in the handshaking phase. Note: This is mainly for decryption purposes and currently useless.

Default: T.

          1046778101.534846 #1 192.168.0.98/32988 >
          		213.61.126.124/https start
          1046778101.534846 #1 connection attempt version: 3.1
          1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
          	SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF),
          	SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA),
          	SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE),
          	SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64),
          	SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62),
          	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3),
          	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),
          1046778101.753356 #1 server reply, version: 3.1
          1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
          1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC
          	TrustCenter for Security in Data Networks GmbH/OU=TC
          	TrustCenter Class 3 CA/Email=certificate@trustcenter.de,
          1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns
          	Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehmanns.de
          1046778101.894567 #1 handshake finished, version 3.1, cipher suite:
          	SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)
          1046778104.877207 #1 finish
          ---
          
          Used cipher-suites statistics:
          SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1
          
     

Figure 7.1: Example of SSL log file with a single SSL session.

In addition, ssl_log holds the name of the SSL log file to which Bro writes SSL connection summaries. It defaults to open_log_file("ssl").

The above figure shows an example of how entries in the SSL log file look like. We see a transcript of the first SSL connection seen since Bro started running. The first line gives its start and the participating hosts and ports. Next, we see a client trying to attempt a SSL (Version 3.1) connection and the cipher suites offered. The server replies with a SSL 3.1 SERVER-REPLY and the desired cipher suite. Note: In SSL v3.0/v3.1 this determines which cipher suite will be used for the connection. Following this is the certificate the server sends, including the issuer and subject. Finally, we see that the handshaking phase for this SSL connection is finished now, and that client and server agreed on the cipher suite: RSA_WITH_RC4_128_MD5. Due to encryption, the SSL analyzer skips all further data. We only see the end of the connection. When Bro finishes, we get some statistics about the cipher suites used in all monitored SSL connections.