Hi,
why when I print the “level” of the alert message I get numbers different from 1 (warning) or 2 (fatal) ?
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count)
{
print fmt("%d %d", level, desc);
}
#out
61 173
123 165
13 61
200 80
8 121
187 31
144 218
82 243
6 224
237 72
115 121
92 152
196 44
2 255
141 216
42 88
The explanations I can think of are 1) bug in the ssl parser 2) ssl parser got attached to a connection that’s not actually ssl 3) the ssl alert records actually contain those odd level values.
If you can provide a small example pcap, that could be helpful. Else you might get more clues by checking whether the values in c$ssl end up looking sane for the connections in question.
- Jon
Hi,
why the “ticket” value is always empty or NULL?
event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
{
print fmt("%s", ticket);
}