question about ssl analyzer

List,
I have a question about the SSL analyzer and the ssl.bro policy file. I'm trying to use this policy to track ssl certificates across a link. However, this policy seems to be broken.

Upon starting bro 1.0 with ssl.bro enabled I get
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
line 1: warning: ssl_ciphersuite_seen

after the first ssl connection or sometimes the second... bro seg faults with no core or debugging information. Also I have recompiled bro with debugging enabled and retried it with no luck as well.
Lastly, I have turned almost everything off in the policy file just to check if thats the issue as well.

Anyone been able to run the ssl analyzer successfully?

Thanks,
Jake Babbin

jbabbin@comcast.net wrote:

after the first ssl connection or sometimes the second... bro seg faults with no core or debugging information. Also I have recompiled bro with debugging enabled and retried it with no luck as well. Lastly, I have turned almost everything off in the policy file just to check if thats the issue as well.

Anyone been able to run the ssl analyzer successfully?

I tried running with the ssl policy but bro segfaulted in the same manner as you are seeing. I also am running Bro 1.0.

There is a preliminary bugfix appended in the patch (apply in the src directory using "patch -p1"). If it works for you, please let me know if you find any inconsistencies in the analyzer output.

Holger

bro1.0SSL.patch (4.73 KB)