I am trying to write a script to log all client_hello cipher suites to the ssl log, preferably in the ascii hex format as they look in the pcap. I hacked up a similar script and got it to create the log entry but the column shows only (empty). Any idea on how to do this? Thanks.
Hello Daniel,
I am trying to write a script to log all client_hello cipher suites to the
ssl log, preferably in the ascii hex format as they look in the pcap. I
hacked up a similar script and got it to create the log entry but the column
shows only (empty). Any idea on how to do this? Thanks.
The reason your script does not work at the moment is, that you only
assigned an empty vector in the ssl_client_hello event without passing it
the actual data.
I modified it slightly below to just dump the raw number of all client
ciphers, converted into hex, into the log. Note that it drops 0's in the
front.
I hope this helps,
Johanna
That worked, thanks. I changed the format to add leading zeros for the 2
byte ciphers but that doesn't take into account the 3byte ones.
Is there an easy way to keep the leading zeros in the hex no matter the
length?
@load base/protocols/ssl/main
module SSL;
export {
redef record Info += {
ciphers: vector of string &log &optional;
};
## A boolean value to determine if client headers are to be logged.
const log_ciphers = T &redef;
}
event ssl_client_hello(c: connection, version: count, possible_ts: time,
client_random: string, session_id: string, ciphers: index_vec) {
if ( ! c?$ssl )
return;
if ( log_ciphers )
{
c$ssl$ciphers = vector();
for ( i in ciphers )
c$ssl$ciphers[i] = fmt("%04x", ciphers[i]);
}
}
Hello Daniel,