SSL
variablesThe standard script defines the following redefinable variables:
ssl_compare_cipherspecs : bool
Default: T
.
ssl_analyze_certificates : bool
Default: T
.
ssl_store_certificates : bool
Default: T
.
ssl_store_cert_path : string
Default: "../certs"
.
ssl_verify_certificates : bool
Default: T
.
x509_trusted_cert_path : string
Default: ""
.
ssl_max_cipherspec_size : count
Default: 45
.
ssl_store_key_material : bool
Default: T
.
1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/https start 1046778101.534846 #1 connection attempt version: 3.1 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6), 1046778101.753356 #1 server reply, version: 3.1 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de, 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehmanns.de 1046778101.894567 #1 handshake finished, version 3.1, cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4) 1046778104.877207 #1 finish --- Used cipher-suites statistics: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1
Figure 7.1: Example of SSL log file with a single SSL session.
In addition, ssl_log
holds the name of the SSL log file to
which Bro writes SSL connection summaries. It defaults to
open_log_file("ssl")
.
The above figure shows an example of how entries in the SSL log file look like.
We see a transcript of the first SSL connection seen since Bro started
running. The first line gives its start and the participating hosts and
ports. Next, we see a client trying to attempt a SSL (Version 3.1)
connection and the cipher suites offered. The server replies with a SSL
3.1 SERVER-REPLY
and the desired cipher suite.
Note: In SSL v3.0/v3.1 this determines which cipher suite will be used for the connection.
Following this is the certificate the server sends,
including the issuer and subject. Finally, we see that the handshaking
phase for this SSL connection is finished now, and that client and server
agreed on the cipher suite: RSA_WITH_RC4_128_MD5
. Due to encryption,
the SSL analyzer skips all further data. We only see the end of the
connection. When Bro finishes, we get some statistics about
the cipher suites used in all monitored SSL connections.