Seth Hall explains how to get Bro to log SSL certificates extracted from the wire. The version shipped with Security Onion is new and that functionality doesn’t appear to be enabled by default. If you have libGeoIP support built in, do some geographic detections and logging for SSH traffic. After restarting Bro, you will have a new log for all SSL certs: “CERTIFICATE—– MIIGYjCCBUqgbuqgAwgAwIBAgIQdyRQbU+ah51Lxm5niPJgyTANBgkqhkiG9w0BAQUFADCB””]
Source: https://taosecurity.blogspot.com/2013/02/using-bro-to-log-ssl-certificates.html