Thursday, August 18, 2011

Monitoring SSL Connections with Bro: Quickstart

Updated (8/20/2011) based on more info from Seth.
Bro ( is an amazing suite of software which can do things that no other IDS on the planet can come close to.  In this post, I want to cover one such feature: SSL monitoring.  Bro has a true understanding of the SSL being used on your network and will efficiently process certificates on the wire for a variety of purposes.  Out of the box, Bro can very efficiently and accurately identify invalid and self-signed certificates, going so far as to actually walk the certificate chain using the certs that ship with Mozilla browsers for a true test.  In addition, Bro will extract all of the relevant details from certificates for logging purposes, which can provide a handy historical record of the sites and companies involved in SSL, which is the next best thing to performing proxy/MITM SSL inspection.

Installing Bro
This quickstart guide will show how to get up and running with Bro on Ubuntu.  I hope that most of the commands and tips will apply to other operating systems and Linux distros, but there will surely be some differences.

Begin by making sure we've got our prerequisites in order:
apt-get install git libssl-dev swig libmagic-dev libgeoip-dev
Grab the latest Bro from the git repository.  Beware, this is cutting edge code, and you may need to download the latest stable tarball from if the git build fails:
git clone --recursive git://
Now you will have bro and auxiliary files in a directory named "bro."
cd bro
I have discovered that on some Linux distros (SuSE, for one), the version of CMake is less than  2.6.3 and so it needs to be downloaded from and custom installed as Bro requires 2.6.3 or better.
(edited: "--enable-brov6" apparently has memory leaks right now.)
./configure --prefix=/usr/local/bro-git
There are a fair amount of options here, but the configure script does a pretty good job of finding out if you've got things installed already and adjusting accordingly.  Since we're looking to do SSL inspection, at a minimum, you'll need to make sure you've got the OpenSSL development libraries installed, which we've done above with apt-get.  If all goes, well, we do the make:
make && cd build && sudo make install
Now we will add a custom bro script which Seth Hall wrote which will print to STDOUT any SSL certificates which were created less than 30 days ago.
cd /usr/local/bro-git/share/bro/site/
vi young-ssl.bro
Paste in the following (edited: removed "@load protocols/ssl"):
event SSL::log_ssl(rec: SSL::Info)
       # We have to check if there is a not_valid_before field because not
       # all SSL transactions actually exchange certificates (i.e. resumed session).
       if ( rec?$not_valid_before && rec$not_valid_before >= network_time() - 30 days &&
            rec$not_valid_before <= network_time() )
               print fmt("%s is using a certificate that just became valid in the last 30 days (%T) (%s)",
                       rec$id$resp_h, rec$not_valid_before, rec$subject);
Now we activate it in the config:
echo "@load young-ssl" >> local.bro
Create some basic log directories for a test run:
mkdir /tmp/bro-logs
cd /tmp/bro-logs
Start bro (assuming we want to monitor eth1):
sudo /usr/local/bro-git/bin/bro -i eth1 local
Let it run for awhile, then have a look at the various logs created.  ssl.log will contain a list of all SSL certificates observed.  Here's an example:

# ts    uid    id.orig_h    id.orig_p    id.resp_h    id.resp_p    version    cipher    server_name    subject    not_valid_before    not_valid_after    validation_status
1313897881.475569    QUVGS5xx9ea    36804    443    TLSv10    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,OU=Twitter Platform,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US    1274158800.000000    1337317199.000000    ok

So there you have it!  A fully functional Bro installation in just a few easy steps.  In a future post, I will show you have to get Bro output into various output collection mechanism like syslog and databases.