Hi,
I installed zeek 3.2.2 on CentOS 7 (amd64)
I want to be able to log the ssl ciphers and protocols used on a host so we can get an overview of how many old clients are connecting
However, in the ssl.log, it does not log that information.
[root@zeek current]# ll
insgesamt 68
-rw-r--r--. 1 root zeek 2316 27. Nov 21:44 conn.log
-rw-r--r--. 1 root zeek 581 27. Nov 21:44 dns.log
-rw-r--r--. 1 root zeek 26221 27. Nov 21:43 loaded_scripts.log
-rw-r--r--. 1 root zeek 600 27. Nov 21:44 ntp.log
-rw-r--r--. 1 root zeek 227 27. Nov 21:43 packet_filter.log
-rw-r--r--. 1 root zeek 666 27. Nov 21:44 reporter.log
-rw-r--r--. 1 root zeek 497 27. Nov 21:44 ssl.log
-rw-r--r--. 1 root zeek 686 27. Nov 21:43 stats.log
-rw-r--r--. 1 root zeek 20 27. Nov 21:43 stderr.log
-rw-r--r--. 1 root zeek 188 27. Nov 21:43 stdout.log
-rw-r--r--. 1 root zeek 983 27. Nov 21:44 weird.log
[root@zeek current]# cat ssl.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2020-11-27-21-44-28
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1606509862.986251 CCB2e543osaLm9T38 192.168.1.238 52108 aaa.bb.ccc.68 443 - - - server68.domain.org F - - F - - - - - - -
In share/zeek/site/local.zeek
I’ve added
@load protocols/ssl/weak-keys
In
share/zeek/policy/protocols/ssl/weak-keys.zeek
I’ve set
option tls_minimum_version = TLSv12;
Is there anything else to do?
I run this in a local VMWare Fusion VM.
I connected to the host above via curl -v —tlsv1.0
Rainer