Merge remote-tracking branch 'origin/topic/johanna/tls-more-data'

* origin/topic/johanna/tls-more-data:
  Update NEWS for ssl changes.
  SSL: test updates for record_layer version
  Final touches to SSL events with record layer version.
  Introduce ssl_plaintext_data event.
  Add record layer version to event ssl_encrypted_data.
  Add compression methods to ssl_client_hello event.

CHANGES

@@ -1,4 +1,13 @@
 
+2.5-944 | 2018-08-30 09:28:41 -0500
+
+  * Introduce ssl_plaintext_data event, replacing ssl_application_data event.
+    (Johanna Amann)
+     
+  * Add record layer version to event ssl_encrypted_data. (Johanna Amann)
+
+  * Add compression methods to ssl_client_hello event. (Johanna Amann)
+
 2.5-932 | 2018-08-30 00:08:58 +0000
 
   * Add Broker::forward() function. This enables explicit forwarding

NEWS

@@ -223,6 +223,22 @@ New Functionality
   Since ssl_ecdh_server_params contains more information than the old
   ssl_server_curve event, ssl_server_curve is now marked as deprecated.
 
+- The ssl_application_data event was retired and replaced with ssl_plaintext_data.
+
+- Some SSL events were changed and now provide additional data. These events
+  are:
+
+  ssl_client_hello, ssl_server_hello, ssl_encrypted_data
+
+  If you use these events, you can make your scripts work on old and new versions
+  of Bro by wrapping the event definition in an @if, for example:
+
+    @if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) )
+    event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+    @else
+    event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+    @endif
+
 - Functions for retrieving files by their ID have been added:
   Files::file_exists, Files::lookup_File
 

VERSION

@@ -1 +1 @@
-2.5-932
+2.5-944

scripts/base/protocols/ssl/main.bro

@@ -200,7 +200,7 @@ function finish(c: connection, remove_analyzer: bool)
 		}
 	}
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
 	{
 	set_session(c);
 
@@ -212,7 +212,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
 		}
 	}
 
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
 	{
 	set_session(c);
 
@@ -351,11 +351,11 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 		}
 	}
 
-event ssl_application_data(c: connection, is_orig: bool, length: count)
+event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) &priority=5
 	{
 	set_session(c);
 
-	if ( ! c$ssl?$version || c$ssl$established )
+	if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
 		return;
 
 	if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )

scripts/policy/protocols/ssl/heartbleed.bro

@@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( !c?$ssl )
 		return;

scripts/policy/protocols/ssl/weak-keys.bro

@@ -76,7 +76,7 @@ event ssl_established(c: connection) &priority=3
 	}
 
 # Check for old SSL versions and weak connection keys
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=3
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=3
 	{
 	if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
 		return;

src/analyzer/protocol/ssl/DTLS.cc

@@ -51,8 +51,9 @@ void DTLS_Analyzer::EndOfData(bool is_orig)
 	}
 
 
-void DTLS_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig)
+void DTLS_Analyzer::SendHandshake(uint16 raw_tls_version, uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig)
 	{
+	handshake_interp->set_record_version(raw_tls_version);
 	try
 		{
 		handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1);

src/analyzer/protocol/ssl/DTLS.h

@@ -22,7 +22,7 @@ public:
 					uint64 seq, const IP_Hdr* ip, int caplen) override;
 	void EndOfData(bool is_orig) override;
 
-	void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
+	void SendHandshake(uint16 raw_tls_version, uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
 
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)

src/analyzer/protocol/ssl/SSL.cc

@@ -71,8 +71,9 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void SSL_Analyzer::SendHandshake(const u_char* begin, const u_char* end, bool orig)
+void SSL_Analyzer::SendHandshake(uint16 raw_tls_version, const u_char* begin, const u_char* end, bool orig)
 	{
+	handshake_interp->set_record_version(raw_tls_version);
 	try
 		{
 		handshake_interp->NewData(orig, begin, end);

src/analyzer/protocol/ssl/SSL.h

@@ -21,7 +21,7 @@ public:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
 	void Undelivered(uint64 seq, int len, bool orig) override;
 
-	void SendHandshake(const u_char* begin, const u_char* end, bool orig);
+	void SendHandshake(uint16 raw_tls_version, const u_char* begin, const u_char* end, bool orig);
 
 	// Tell the analyzer that encryption has started.
 	void StartEncryption();

src/analyzer/protocol/ssl/dtls-analyzer.pac

@@ -42,7 +42,7 @@ refine connection SSL_Conn += {
 		if ( foffset == 0 && length == flength )
 			{
 			//fprintf(stderr, "Complete fragment, forwarding...\n");
-			bro_analyzer()->SendHandshake(${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig});
+			bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig});
 			return true;
 			}
 
@@ -131,7 +131,7 @@ refine connection SSL_Conn += {
 			if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 )
 				{
 				//fprintf(stderr, "ALl fragments here. Total length %u\n", length);
-				bro_analyzer()->SendHandshake(${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig});
+				bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig});
 				}
 			}
 

src/analyzer/protocol/ssl/dtls-protocol.pac

@@ -18,10 +18,11 @@ type SSLRecord(is_orig: bool) = record {
 	cont: case valid of {
 		true -> rec: RecordText(this)[] &length=length;
     false -> swallow: bytestring &restofdata;
-	};
+	} &requires(valid,raw_tls_version);
 } &byteorder = bigendian, &let {
 # Do not parse body if packet version invalid
 	valid: bool = $context.connection.dtls_version_ok(version);
+	raw_tls_version: uint16 = version;
 };
 
 type RecordText(rec: SSLRecord) = case rec.epoch of {

src/analyzer/protocol/ssl/events.bif

@@ -12,6 +12,9 @@
 ##          values are standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::version_strings` table maps them to descriptive names.
 ##
+## record_version: TLS version given in the record layer of the message.
+##                 Set to 0 for SSLv2.
+##
 ## possible_ts: The current time as sent by the client. Note that SSL/TLS does
 ##              not require clocks to be set correctly, so treat with care.
 ##
@@ -24,12 +27,15 @@
 ##          standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
+## comp_methods: The list of compression methods that the client offered to use.
+##               This value is not sent in TLSv1.3 or SSLv2.
+##
 ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
 ##    ssl_change_cipher_spec
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms
-event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
+event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
 ## start with an unencrypted handshake, and Bro extracts as much information out
@@ -45,6 +51,9 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##          The values are standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::version_strings` table maps them to descriptive names.
 ##
+## record_version: TLS version given in the record layer of the message.
+##                 Set to 0 for SSLv2.
+##
 ## possible_ts: The current time as sent by the server. Note that SSL/TLS does
 ##              not require clocks to be set correctly, so treat with care. This value
 ##              is not sent in TLSv1.3.
@@ -61,14 +70,14 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## comp_method: The compression method chosen by the client. The values are
 ##              standardized as part of the SSL/TLS protocol. This value is not
-##              sent in TLSv1.3.
+##              sent in TLSv1.3 or SSLv2.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 ##    ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms
-event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
+event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
 ## sessions start with an unencrypted handshake, and Bro extracts as much
@@ -476,22 +485,28 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##    ssl_alert ssl_encrypted_data
 event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
-## Generated for non-handshake SSL/TLS application_data messages that are sent before
-## full encryption starts. For TLS 1.2 and lower, this event should not be raised. For TLS 1.3,
-## it is used by Bro internally to determine if the connection has been completely setup.
-## This is necessary as TLS 1.3 does not have CCS anymore.
+## Generated for SSL/TLS messages that are sent before full session encryption
+## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
+## here this event will be raised for early packets that are already using
+## pre-encryption.  # This event is also used by Bro internally to determine if
+## the connection has been completely setup. This is necessary as TLS 1.3 does
+## not have CCS anymore.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## content_type: message type as reported by TLS session layer.
+## record_version: TLS version given in the record layer of the message.
+##                 Set to 0 for SSLv2.
 ##
-## length: length of the entire heartbeat message.
+## content_type: message type as reported by TLS session layer. Not populated for
+##               SSLv2.
+##
+## length: length of the entire message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_application_data%(c: connection, is_orig: bool, length: count%);
+event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
 
 ## Generated for SSL/TLS messages that are sent after session encryption
 ## started.
@@ -503,13 +518,17 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%);
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## content_type: message type as reported by TLS session layer.
+## record_version: TLS version given in the record layer of the message.
+##                 Set to 0 for SSLv2.
 ##
-## length: length of the entire heartbeat message.
+## content_type: message type as reported by TLS session layer. Not populated for
+##               SSLv2.
+##
+## length: length of the entire message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, length: count%);
+event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
 
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it.

src/analyzer/protocol/ssl/proc-client-hello.pac

@@ -3,7 +3,8 @@
 					client_random : bytestring,
 					session_id : uint8[],
 					cipher_suites16 : uint16[],
-					cipher_suites24 : uint24[]) : bool
+					cipher_suites24 : uint24[],
+					compression_methods: uint8[]) : bool
 		%{
 		if ( ! version_ok(version) )
 			{
@@ -28,11 +29,21 @@
 				cipher_vec->Assign(i, ciph);
 				}
 
+			VectorVal* comp_vec = new VectorVal(internal_type("index_vec")->AsVectorType());
+			if ( compression_methods )
+				{
+				for ( unsigned int i = 0; i < compression_methods->size(); ++i )
+					{
+					Val* comp = new Val((*compression_methods)[i], TYPE_COUNT);
+					comp_vec->Assign(i, comp);
+					}
+				}
+
 			BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
-							version, ts, new StringVal(client_random.length(),
+							version, record_version(), ts, new StringVal(client_random.length(),
 							(const char*) client_random.data()),
 							to_string_val(session_id),
-							cipher_vec);
+							cipher_vec, comp_vec);
 
 			delete cipher_suites;
 			}

src/analyzer/protocol/ssl/proc-server-hello.pac

@@ -23,7 +23,7 @@
 
 			BifEvent::generate_ssl_server_hello(bro_analyzer(),
 							bro_analyzer()->Conn(),
-							version, ts, new StringVal(server_random.length(),
+							version, record_version(), ts, new StringVal(server_random.length(),
 							(const char*) server_random.data()),
 							to_string_val(session_id),
 							ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -25,7 +25,7 @@ refine connection SSL_Conn += {
 
 	function proc_handshake(rec: SSLRecord, data: bytestring, is_orig: bool) : bool
 		%{
-		bro_analyzer()->SendHandshake(data.begin(), data.end(), is_orig);
+		bro_analyzer()->SendHandshake(${rec.raw_tls_version}, data.begin(), data.end(), is_orig);
 		return true;
 		%}
 };
@@ -38,7 +38,7 @@ refine typeattr V2Error += &let {
 
 refine typeattr V2ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(client_version, 0,
-				challenge, session_id, 0, ciphers);
+				challenge, session_id, 0, ciphers, 0);
 };
 
 refine typeattr V2ServerHello += &let {

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -54,16 +54,18 @@ refine connection SSL_Conn += {
 							bro_analyzer()->Conn());
 			}
 
+		if ( ssl_encrypted_data )
 			BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
 
 		return true;
 		%}
 
-	function proc_application_record(rec : SSLRecord) : bool
+	function proc_plaintext_record(rec : SSLRecord) : bool
 		%{
-		BifEvent::generate_ssl_application_data(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+		if ( ssl_plaintext_data )
+			BifEvent::generate_ssl_plaintext_data(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
 
 		return true;
 		%}
@@ -115,8 +117,8 @@ refine typeattr CiphertextRecord += &let {
 	proc : bool = $context.connection.proc_ciphertext_record(rec);
 }
 
-refine typeattr ApplicationData += &let {
-	proc : bool = $context.connection.proc_application_record(rec);
+refine typeattr PlaintextRecord += &let {
+	proc : bool = $context.connection.proc_plaintext_record(rec);
 }
 
 refine typeattr ChangeCipherSpec += &let {

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -8,16 +8,22 @@ type SSLRecord(is_orig: bool) = record {
 	head2 : uint8;
 	head3 : uint8;
 	head4 : uint8;
-	rec : RecordText(this)[] &length=length, &requires(content_type);
+	rec : RecordText(this)[] &length=length, &requires(version,content_type,raw_tls_version);
 } &length = length+5, &byteorder=bigendian,
 	&let {
 	version : int =
 		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
 
+	# unmodified tls record layer version of this packet. Do not use this if you are parsing SSLv2
+	raw_tls_version: uint16 = case version of {
+		SSLv20 -> 0;
+		default -> (head1<<8) | head2;
+	} &requires(version);
+
 	content_type : int = case version of {
 		SSLv20 -> head2+300;
 		default -> head0;
-	};
+	} &requires(version);
 
 	length : int = case version of {
 		# fail analyzer if the packet cannot be recognized as TLS.
@@ -208,4 +214,6 @@ refine connection SSL_Conn += {
 		return UNKNOWN_VERSION;
 		%}
 
+	function record_version() : uint16 %{ return 0; %}
+
 };

src/analyzer/protocol/ssl/tls-handshake-analyzer.pac

@@ -416,7 +416,7 @@ refine connection Handshake_Conn += {
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(client_version,
 				gmt_unix_time, random_bytes,
-				session_id, csuits, 0);
+				session_id, csuits, 0, cmeths);
 };
 
 refine typeattr ServerHello += &let {

src/analyzer/protocol/ssl/tls-handshake-protocol.pac

@@ -889,11 +889,13 @@ refine connection Handshake_Conn += {
 	%member{
 		uint32 chosen_cipher_;
 		uint16 chosen_version_;
+		uint16 record_version_;
 	%}
 
 	%init{
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
 		chosen_version_ = UNKNOWN_VERSION;
+		record_version_ = 0;
 	%}
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
@@ -911,6 +913,13 @@ refine connection Handshake_Conn += {
 		chosen_version_ = version;
 		return true;
 		%}
+
+	function record_version() : uint16 %{ return record_version_; %}
+
+	function set_record_version(version: uint16) : bool
+		%{
+		record_version_ = version;
+		return true;
+		%}
 };
 
-

testing/btest/Baseline/scripts.base.protocols.ssl.comp_methods/.stdout

@@ -0,0 +1,2 @@
+[1, 0]
+0

testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout

@@ -1,45 +1,54 @@
 Handshake, 192.168.1.105, 74.125.224.79, T, 1, 169
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 173
 Handshake, 192.168.1.105, 74.125.224.79, F, 2, 81
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 85
 Handshake, 192.168.1.105, 74.125.224.79, F, 11, 1620
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 1624
 Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 203
 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 4
 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 70
 CCS, 192.168.1.105, 74.125.224.79, T
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 22, 72
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 48
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 387
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 20, 1
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387
 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 174
 CCS, 192.168.1.105, 74.125.224.79, F
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 20, 1
 Established, 192.168.1.105, 74.125.224.79
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 22, 36
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 40
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 248
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 161
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 33
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 148
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 46
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 135
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 59
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1312
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 1345
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 245
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 92
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 75
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 28
-Encrypted data, 192.168.1.105, 74.125.224.79, T, 23, 32
-Encrypted data, 192.168.1.105, 74.125.224.79, F, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 248
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 161
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 33
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 148
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 46
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 135
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 59
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1312
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 1345
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 245
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 92
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 75
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 28
+Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 32
+Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 32

testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log

@@ -3,60 +3,60 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-05
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
-#close	2017-11-30-20-15-05
+#open	2018-08-27-22-38-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	TLSv10	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
+#close	2018-08-27-22-38-51
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-06
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
-#close	2017-11-30-20-15-06
+#open	2018-08-27-22-38-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
+#close	2018-08-27-22-38-52
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-06
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
-1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
-1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
-#close	2017-11-30-20-15-06
+#open	2018-08-27-22-38-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	unknown-0	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
+1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
+1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
+#close	2018-08-27-22-38-52
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-07
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
-#close	2017-11-30-20-15-07
+#open	2018-08-27-22-38-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv11	0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
+#close	2018-08-27-22-38-53
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-08
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1425932016.520157	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
-#close	2017-11-30-20-15-08
+#open	2018-08-27-22-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1425932016.520029	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	DTLSv10	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv10	e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
+#close	2018-08-27-22-38-54
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-30-20-15-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1512070268.983215	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
-#close	2017-11-30-20-15-09
+#open	2018-08-27-22-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512070268.982498	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	DTLSv12	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv12	1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
+#close	2018-08-27-22-38-54

testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/.stdout

@@ -0,0 +1,2 @@
+client, TLSv10, TLSv12
+server, TLSv12, TLSv12

testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout

@@ -1,34 +1,56 @@
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 unknown-27242
 x25519
+client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 unknown-19018
 x25519
+client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-43690
 x25519
+client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
+server, TLSv10, TLSv13-draft14
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-60138
 x25519
+client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
+server, TLSv10, TLSv13-draft14
 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
+client, TLSv10, TLSv12
+client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
+client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
+server, TLSv10, TLSv13-draft16
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
+client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
+server, TLSv10, TLSv13-draft16
 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -167,6 +167,7 @@
 1437831799.611764 protocol_confirmation
 1437831799.611764 ssl_client_hello
 1437831799.611764 ssl_handshake_message
+1437831799.611764 ssl_plaintext_data
 1437831799.764576 ssl_extension
 1437831799.764576 ssl_server_hello
 1437831799.764576 ssl_handshake_message
@@ -205,9 +206,13 @@
 1437831799.764576 file_state_remove
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_handshake_message
+1437831799.764576 ssl_plaintext_data
 1437831799.838196 ssl_handshake_message
+1437831799.838196 ssl_plaintext_data
 1437831799.838197 ssl_change_cipher_spec
+1437831799.838197 ssl_plaintext_data
 1437831800.045701 ssl_change_cipher_spec
+1437831800.045701 ssl_plaintext_data
 1437831800.045701 ssl_established
 1437831800.217854 net_done
 1437831800.217854 filter_change_tracking

testing/btest/scripts/base/protocols/ssl/comp_methods.test

@@ -0,0 +1,14 @@
+# This tests that the values sent for compression methods are correct.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+	{
+	print comp_methods;
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
+	{
+	print comp_method;
+	}

testing/btest/scripts/base/protocols/ssl/dpd.test

@@ -14,7 +14,7 @@ event bro_init()
 	print "Start test run";
 	}
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
 	{
 	print "Client hello", c$id$orig_h, c$id$resp_h, version;
 	}

testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test

@@ -3,7 +3,7 @@
 # @TEST-EXEC: touch dpd.log
 # @TEST-EXEC: btest-diff dpd.log
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
 	print version, client_random, session_id, ciphers;
 	}

testing/btest/scripts/base/protocols/ssl/handshake-events.test

@@ -22,7 +22,12 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool)
 	print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
-	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, content_type, length;
+	print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
+	}
+
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
+	{
+	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
 	}

testing/btest/scripts/base/protocols/ssl/keyexchange.test

@@ -23,10 +23,12 @@ module SSL;
 export {
 	redef record Info += {
 		# ClientHello
+		client_record_version: string &log &optional;
 		client_random: string &log &optional;
 		client_cipher_suites: string &log &optional;
 
 		# ServerHello
+		server_record_version: string &log &optional;
 		server_random: string &log &optional;
 
 		# ServerKeyExchange
@@ -62,10 +64,11 @@ event ssl_established(c: connection) &priority=5
 	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
 	}
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
 	{
 	set_session(c);
 	c$ssl$client_random = bytestring_to_hexstr(client_random);
+	c$ssl$client_record_version = SSL::version_strings[record_version];
 
 	local ciphers_str = "";
 	for (i in ciphers)
@@ -79,10 +82,11 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
 	c$ssl$client_cipher_suites = ciphers_str;
 	}
 
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
 	{
 	set_session(c);
 	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	c$ssl$server_record_version = SSL::version_strings[record_version];
 	}
 
 event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5

testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test

@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
 	{
 	print fmt("Got %d cipher suites", |ciphers|);
 	for ( i in ciphers )

testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test

@@ -1,12 +1,12 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
  	{
 	print client_random;
  	}
 
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) 
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
 	{
 	print server_random;
 	}

testing/btest/scripts/base/protocols/ssl/tls-1.2.test

@@ -1,3 +1,14 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
+	{
+	print "client", SSL::version_strings[record_version], SSL::version_strings[version];
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	print "server", SSL::version_strings[record_version], SSL::version_strings[version];
+	}

testing/btest/scripts/base/protocols/ssl/tls13.test

@@ -9,6 +9,8 @@
 # @TEST-EXEC: btest-diff ssl-out.log
 # @TEST-EXEC: btest-diff .stdout
 
+redef SSL::disable_analyzer_after_detection=F;
+
 event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
 	{
 	print "key_share", c$id, is_orig;
@@ -23,7 +25,17 @@ event ssl_established(c: connection)
 	print "established", c$id;
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
-	print "encrypted", c$id, is_orig, content_type;
+	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
+	}
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5
+	{
+	print "client", SSL::version_strings[record_version], SSL::version_strings[version];
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	print "server", SSL::version_strings[record_version], SSL::version_strings[version];
 	}