How do I log the serial number of the certificate in ssl.log?
I tried to perform this in protocols/ssl/files.bro file at the event ssl_established(), but this event is almost never called. This means that issuer and subject also almost never get logged.
Is this because the handshake happens at line speed, but the certificate does not get processed as fast, so the certificate details are almost never available to Bro when it logs the handshake data in ssl.log?
It sounds like your bro installation is not functioning properly. ssl_established is raised on every ssl connection and includes all of the information about the handshake.
What does the ssl.log and conn.log entry look like for one of the ssl connections that is missing the issuer and subject fields?
These logs are from 5 days apart and do not match up with each other.
I'd need to see the conn.log entires that correspond to connections like CrfdsS268VpsZjzjV2, C3PoFJ0FJ51yFKOm7, CoxsGYKjELt5oTZUj, C5EqDA4f0hY9BlCR2d etc
Ah yes... the hadf for all of your connection histories shows that Bro is only seeing half of your connections
Are you running bro on 10.245.44.33 itself?
Yes, I am running bro on an iMac having IP address 10.245.44.33 .
I will try out the workarounds for ignoring checksums tomorrow, and let you know how it went. Let me know if you have any more advice, I am all ears.
Thank you so much!
The workaround is working.