Writing to SSL log

I’ve extended the SSL log with 2 fields.

redef record SSL::Info += {
foo: int &log &optional;
bar: string &log &optional;
};

I’m trying to set the values win the “connection_state_remove” event with the following.

event connection_state_remove(c: connection) {
c$ssl$foo = 1;

c$ssl$bar = “TEST”;
}

ssl.log shows the fields in the #fields line but the fields remain “-”. I’ve tried messing with the priority level but it’s not working. Something else going on here?

Thanks!

That works for most things, but the ssl log is primarily written to at the end of the ssl negotiation, not the end of the connection.

if you look in scripts/base/protocols/ssl/main.bro you see that the ssl log is written to by the log_record / finish helper functions, which are called from:

ssl_established, connection_state_remove(if not already logged!), and protocol_violation so in your case, what could work is

event ssl_established(c: connection) {
  c$ssl$foo = 1;
  c$ssl$bar = "TEST";
}

However, The ssl script also has this feature:

    # Hook that can be used to perform actions right before the log record
    # is written.
    global ssl_finishing: hook(c: connection);

So to ensure you catch everything and run at the right time, this will work even better:

hook ssl_finishing(c: connection) {
  c$ssl$foo = 1;
  c$ssl$bar = "TEST";
}

Justin, thanks! I remember having to use a different before to log it. I loaded up ssl and the following script but it’s not firing off.

test.bro:

hook ssl_finishing(c: connection) {
print “SSL Finishing Event!”;
}

Is there much of a delay for this to execute?

Oh, that's what I get for not testing on 2.5.x. That hook is new and will be in 2.6, for now you would need
to use the event ssl_established.

lol, alright. I’ll test it out in 2.6. Thanks.

I used the ssl_established event and appears to be a bit of a race condition for what I’m doing. I’m pulling in some data from broker and deliver from broker is slower than network traffic…