Johanna Amann johanna at icir.org
Tue Jul 15 09:55:34 PDT 2014

Hello James,

using blacklists like this is actually quite easy nowadays. Just loading 
the list of blacklisted SHA-1 hashes into the intel framework and making 
sure that policy/frameworks/intel/seen/file-hashes.bro is loaded should 
be enough.

Certificates used in SSL connections are handled just like files, so if 
one of the certificates is encountered after loading the data, it should 
trigger a notification.

You just have to reformat the list for the intel framework.


On 15 Jul 2014, at 9:40, James Lay wrote:

> Interesting:
> https://sslbl.abuse.ch/blacklist/
> Wonder if bro can support this?
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list