Why am I seeing SSL "files" in my files.log?

Zeek
1

Dear all,

I’ve been looking at my files.log file and I’m seeing a lot of logged transfers for source=SSL.

root@appliance:/usr/local/bro/logs# cat current/files.log | grep -i ssl | head
1422561677.508576 FmK9Jn1by8UfJ7Uk6c 216.58.217.46 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 - -0.000000 F F 1737 - 0 0 F - 04805888dbfa26c78e52f8860be4a776 43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
1422561677.508576 FrcIKka3GRTlXwCYk 216.58.217.46 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 - -0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - -
1422561677.508576 FEuCUs4oRjvbJIPB68 216.58.217.46 192.168.200.235 CUEEAE4YJ25B6LwU03 SSL 0 X509,MD5,SHA1 - -0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - -
1422561677.588403 FKhNYN30aqixQTq0ya 216.58.217.14 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 - -0.000000 F F 1737 - 0 0 F - 04805888dbfa26c78e52f8860be4a776 43ae5511994a4d13b2b1e8b013bff7196c5645d2 - -
1422561677.588403 F6KI5g2pFla0x2h4w4 216.58.217.14 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 - -0.000000 F F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - -
1422561677.588403 FMD4Yq4JDMdG7dTnC6 216.58.217.14 192.168.200.235 CWx7Gs1ETyWn2IKu4h SSL 0 X509,MD5,SHA1 - -0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - -
1422561680.734060 F6kS0Y3B6xPUSr5bQ3 54.244.242.173 192.168.200.227 C2s8C31rDqouwSyREj SSL 0 X509,MD5,SHA1 - -0.000000 F F 931 - 0 0 F - 591c402fa2cbf8279323e5336dfe78e2 37c4666a6fb5535e01a113f5a25c7ae2b7d942c5 - -
1422561681.173742 FU1DBs1wCoSQhuW2O3 54.203.249.201 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 - -0.000000 F F 1362 - 0 0 F - 1595a86ed4570a4804ccb459ba49c710 be032d527dcc970b2cb056c953036b3dac6d299f - -
1422561681.173742 FnauTv4UWVVeIEhKfb 54.203.249.201 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 - -0.000000 F F 1433 - 0 0 F - f9a20bda18c130a3dd2c9300646baa70 12c9b291d19d3632d44f1069551c46490aea0542 - -
1422561681.173742 FJLfsb48MeGcQiiID5 54.203.249.201 192.168.200.227 CIJSA81yUj2OZ3Zec SSL 0 X509,MD5,SHA1 - -0.000000 F F 1087 - 0 0 F - d9e1f5ce2bf6982005dc6d95aa9f9875 20ee1b7a0dbae0cf16f5a6327fc4ae1cef25f12c - -
root@appliance:/usr/local/bro/logs#

What are these? Are these ssl certificates that are being transferred?

Thank you,
Luis

2

These are the x509 Certificates that are exchanges as a part of the SSL/TLS handshake. The “X509, MD5, SHA1” indicates that three file analyzers were attached to the file. For further details on information extracted from the cert pivot, using the file id to the x509.log.

I think in a default configuration of Bro you’ll see that only the host certificate is loaded (client and server); that behavior can be modified:
https://www.bro.org/sphinx/_downloads/log-hostcerts-only.bro

Thanks,

Liam