[Bro] Adding SSL certs to Bro 2.0

Louis F Ruppert lruppert at syr.edu
Wed Nov 16 13:16:58 PST 2011

The semicolon at the end of the second line errors.  Removing it causes it to work.

If anyone's interested, I have a sloppy python script that will take a "standard" .pem cert and output a valid "redef SSL::root_certs += {..." stanza like the one Seth wrote.  I tested it with the cacert root sig and it's happy with my certs now. :)


Lou Ruppert
Intrusion Analyst, GCFA
Information Security
Syracuse University
From: bro-bounces at bro-ids.org [bro-bounces at bro-ids.org] on behalf of Seth Hall [seth at icir.org]
Sent: Wednesday, November 16, 2011 1:16 PM
To: Mathew Binkley
Cc: bro at bro-ids.org
Subject: Re: [Bro] Adding SSL certs to Bro 2.0

On Nov 16, 2011, at 12:28 PM, Mathew Binkley wrote:

> Hi!  I've been testing the 2.0 beta (kudos, btw).

Great, thanks!

> I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
> CA certs.   Is there a way to add our own to that or to a separate file?
>  How is that file generated?   Thanks.

We have a exercise from the workshop that specifically addresses this situation.  We will be posting the workshop material really soon too.

Ultimately, you need to take a DER formatted version of your root public key and convert it to Bro's hex string representation and add it to the SSL::root_certs table.  Like this....

redef SSL::root_certs += {
        ["your root certificates subject"] = "\x30\x82\x03\x75\x30\x82<snip a lot more of this>";

You can add that to the bottom of your local.bro file as Sridhar recommended.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list