Certificate extraction issue

Hello, everybody

I have a trouble I can’t wrap my head around.
I’m trying to extract SSL certificates from traffic and I have and event handler like this:

event x509_certificate (f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) {
local fileName = fmt("%s", current_time());
print fileName;
local fname = fmt("%s%s.%s", path, fileName, "pem");
local args: Files::AnalyzerArgs = record($extract_filename=fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, args);
}

For some reason I don’t understand Bro can’t add Analyzer to my files and I’m not getting any files extracted

1517409279.894576 warning in /opt/bro/share/bro/base/frameworks/files/./main.bro, line 394: Analyzer Files::ANALYZER_EXTRACT not added successfully to file Fp4AgEzEtME36Nfl2.

Any help will be much appreciated

Thanks,

Timur

Hi Timur,

Hello, everybody

I have a trouble I can't wrap my head around.
I'm trying to extract SSL certificates from traffic and I have and event
handler like this:

event x509_certificate (f: fa_file, cert_ref: opaque of x509, cert:
X509::Certificate) {
    local fileName = fmt("%s", current_time());
    print fileName;
    local fname = fmt("%s%s.%s", path, fileName, "pem");
    local args: Files::AnalyzerArgs = record($extract_filename=fname);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, args);
}

For some reason I don't understand Bro can't add Analyzer to my files and
I'm not getting any files extracted

1517409279.894576 warning in
/opt/bro/share/bro/base/frameworks/files/./main.bro, line 394: Analyzer
Files::ANALYZER_EXTRACT not added successfully to file Fp4AgEzEtME36Nfl2.

Files::add_analyzer can only be called quite early - when all of the bytes
of the file are still buffered in the core; I think the last time this is
possible is the file_sniff event.

That being said, with certificates you have a few other options for saving
them to disk later. I would recommend looking at the
policy/protocols/ssl/extract-certs-pem.bro script that ships with Bro.

Johanna