question about ssl analyzer

Jake_Babbin · February 22, 2006, 2:19am

List,
I have a question about the SSL analyzer and the ssl.bro policy file. I'm trying to use this policy to track ssl certificates across a link. However, this policy seems to be broken.

Upon starting bro 1.0 with ssl.bro enabled I get
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
line 1: warning: ssl_ciphersuite_seen

after the first ssl connection or sometimes the second... bro seg faults with no core or debugging information. Also I have recompiled bro with debugging enabled and retried it with no luck as well.
Lastly, I have turned almost everything off in the policy file just to check if thats the issue as well.

Anyone been able to run the ssl analyzer successfully?

Thanks,
Jake Babbin

David_Vasil1 · February 22, 2006, 2:12pm

jbabbin@comcast.net wrote:

after the first ssl connection or sometimes the second... bro seg faults with no core or debugging information. Also I have recompiled bro with debugging enabled and retried it with no luck as well. Lastly, I have turned almost everything off in the policy file just to check if thats the issue as well.

Anyone been able to run the ssl analyzer successfully?

I tried running with the ssl policy but bro segfaulted in the same manner as you are seeing. I also am running Bro 1.0.

Holger_Dreger · February 22, 2006, 4:03pm

There is a preliminary bugfix appended in the patch (apply in the src directory using "patch -p1"). If it works for you, please let me know if you find any inconsistencies in the analyzer output.

Holger

bro1.0SSL.patch (4.73 KB)

Topic		Replies	Views
Attempting to use SSL analyser in 0.9a8 Zeek	3	62	May 6, 2022
HTTPS Analyzer Development development	2	116	May 6, 2022
SSL Events not being triggered Zeek	3	102	May 6, 2022
HTTPS Analyzer Zeek	4	94	May 6, 2022
SSL.BRO question Zeek	2	79	May 6, 2022

question about ssl analyzer

Related Topics