I'm trying to achieve something that I thought would be quite straightforward but is proving a bit tricky.
In SA, I'm trying to issue a query to return the domain names of HTTPS connections for a specific 30 minute window.
So, I thought, easy enough, 2 steps:
- Chose 'Custom' in the drop-down list for the time frame and specify my time frame.
- Set a filter for: service=443 (or under 'Service' click 'SSL').
But of course I'm seeing alias.host entries for things like:
which I assume is the domain name from the SSL certificate.
Is it even possible to achieve my goal? I just want to see the domain names which were the target of the HTTPS connections, not the domain names from the certs.
Any pointers would be gratefully received!