All,
I have a Squid web proxy with an in house cert on it. We've gone through and applied the root certs to all our hosts and set it as trusted and it's working great. What I am looking to do is create an alert in Splunk that is a host tries to hit our proxy and fails the, I get an alert.
I am assuming there is a SSL cert disconnect message of some sorts in Stream I can capture. But I am not sure what streams to configure. Point me in the right direction?
Just wanted to give this a quick bump, I am able to find what I am looking for using tcpdump so I know the event is there. Just not sure how to configure a stream for it.
How I am getting the data from the command line -
tshark -i ens160 -Y ssl.alert_message.level
tcpdump -ni ens192 -C 100 -W 5 "port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15)"