I want to my script to look at the conn details of a ssl session, orig_h, resp_h, ect. and also look at specific file details for that session, x509::certificate.sig_alg
How do I correlate the two in a Bro script since Bro handles connections and files separately?
My thought process was to use ‘event ssl_established’ since it would have most of what I want but it doesn’t have x509 file details like the certificate.sig_alg and I wasn’t able to find the event that would contain both.
Anyone know how I can do this?
Specifically for x509 certificates, you might want to look at the x509_certificate event, which includes the connection details & the parsed certificate fields in one handy event.
The “misc/dump-events” script is invaluable for examining packet captures to figure out what events fire and what data is available for a given event.
bro -r some.pcap misc/dump-events
There is one small caveat to this too. If an event isn't handled by an existing script, that event won't be generated and won't show up in the output from the dump-events script. In many cases this all works out ok, but I wanted to point it out to save someone a headache trying to figure out why an event isn't being generated.
Thanks Keith! For anyone else asking the same question; fa_file contains conns which holds the connection details in table format. Example: