Question on SSL logs

Raj_Srinivasan · July 8, 2016, 7:29pm

Hello,

First, the background info… we are in the process of upgrading from Bro v2.3.2 to v2.4.1. The older version runs on a slower system which experiences more packet loss than the newer version, which is running on a faster system (which has mostly no loss at all). Both systems are seeing the same network traffic.

What we are seeing is that the SSL logs from v2.3.2 are consistently larger (by 20% to 25%) than the logs produced by v2.4.1. I see that there are a lot of improvements in the handling of SSL, and many that might actually impact log information, but we are unable to quantify how the logs are being affected even after a visual inspection of the logs. Is it reasonable to expect the new log files to be more compact (using the default SSL policies in both cases)? Just as a data point, the HTTP logs are comparable in size.

Would highly appreciate a response from the Bro SSL experts.

Thanks!

Raj

johanna · July 8, 2016, 7:54pm

Hello Raj,

on the top of my head, I am not aware of any reason why the 2.4.1 SSL logs
should be more compact then the 2.3.2 logs; if anything, they should be
larger.

There were some changes to make the logs more compact, but thost were from
2.2 to 2.3; in these cases, a better metric would be the number of lines.

In any case if you can potentially take a small sample of your traffic and
run both 2.3.2 and 2.4.1 against it, and notice any changes (especially
missing lines in 2.4.1), I would appreciate it you could let me know.

Johanna

Topic		Replies	Views
huge weird.log/conn.log Zeek	8	68	May 6, 2022
traffic vs log size Zeek	4	173	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	84	May 6, 2022
Attempting to use SSL analyser in 0.9a8 Zeek	3	46	May 6, 2022
Get the license usage down in Splunk when indexing Bro Zeek	2	61	May 6, 2022

Question on SSL logs

Related Topics