Bro for Beginners/Logging SSL Certificate

Hey everyone,

This is my first time using Linux as well as using Bro so it has taken a while for me to get it installed and up and running, but finally I think I have it. I am running Bro 1.5.3 on Ubuntu and I have gotten BroCtl to start but I have a couple questions:

  1. Where are the rules written that Bro is supposed to alert on? I came from Snort so I know a bit about IDS but I don’t know how Bro is set up.
  2. Where are the logs produced? /spool/broctl.dt?

What I really want to do is to log the packet(s) from an SSL handshake that contain a certificate. I was sort of able to do this in Snort. Snort gave me the right packets but the wrong data. I got the TCP Segment Data rather than the reassembled TCP packet of the whole certificate itself. I was told Bro could do this out of the box so hopefully this will work here.

Is this possible? How should I go about doing this. I am a true beginner with Linux and I am having some trouble understanding what is going on.

Thanks in advance

This isn't quite ready for you then.

The next release has greatly improved certificate logging and we will likely have a script specifically for that that task once we have the next release available.