Hi all,
I'm trying to achieve something that I thought would be quite straightforward but is proving a bit tricky.
In SA, I'm trying to issue a query to return the domain names of HTTPS connections for a specific 30 minute window.
So, I thought, easy enough, 2 steps:
- Chose 'Custom' in the drop-down list for the time frame and specify my time frame.
- Set a filter for: service=443 (or under 'Service' click 'SSL').
But of course I'm seeing alias.host entries for things like:
*.google.com
which I assume is the domain name from the SSL certificate.
Is it even possible to achieve my goal? I just want to see the domain names which were the target of the HTTPS connections, not the domain names from the certs.
Any pointers would be gratefully received!
Ok, so this was probably a daft question.
Given I'm looking at TLS connections, there shouldn't be any hostnames besides in the certificate or the SNI extension.