I am having some problems (or maybe misunderstanding) of how the suppression works. I haven’t changed my configuration file and it was working at one time. Now after upgrading to the master branch (I was on the heartbleed) it seems my suppression isn’t working as I understand it.
I have activated the SSL certificate checking as follows:
@load policy/protocols/ssl/expiring-certs.bro
redef SSL::notify_certs_expiration = ALL_HOSTS;
now when I watch my notice log, I am seeing what appear to be LOTS of notice logs for the same certificate. I thought that perhaps just the e-mails get suppressed, but after turning on e-mail notifications I get an e-mail for every notice. Plus my notice log is filling up rather quickly.
I know this probably won’t be very legible, but here is an example of just 2 of the notices I get from a single connection. They look exactly the same to me, and they have a time set for the suppression. I would have expected to only get one of these, but you can see the time stamp shows multiple notices happening very quickly.
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
1402057564.658489 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2 5223 F6irMUcwkf1ZcbIok - - tcp SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= - 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG 86400.000000 F - - - - -
1402057564.660035 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2 5223 F6irMUcwkf1ZcbIok - - tcp SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= - 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG 86400.000000 F - - - - -