2015-08-13 04:01 PM
Hi all,
I'm trying to achieve something that I thought would be quite straightforward but is proving a bit tricky.
In SA, I'm trying to issue a query to return the domain names of HTTPS connections for a specific 30 minute window.
So, I thought, easy enough, 2 steps:
But of course I'm seeing alias.host entries for things like:
*.google.com
which I assume is the domain name from the SSL certificate.
Is it even possible to achieve my goal? I just want to see the domain names which were the target of the HTTPS connections, not the domain names from the certs.
Any pointers would be gratefully received!
2015-08-14 04:38 AM
Ok, so this was probably a daft question.
Given I'm looking at TLS connections, there shouldn't be any hostnames besides in the certificate or the SNI extension.