netantho at gmail.com
Wed Jul 30 15:08:19 PDT 2014
I created a python script to parse get the latest version of a blacklist
and convert it to the bro intel framework format:
Thanks James and Johanna for the idea :)
On 7/15/14, 9:59 AM, James Lay wrote:
> On 2014-07-15 10:55, Johanna Amann wrote:
>> Hello James,
>> using blacklists like this is actually quite easy nowadays. Just
>> loading the list of blacklisted SHA-1 hashes into the intel framework
>> and making sure that policy/frameworks/intel/seen/file-hashes.bro is
>> loaded should be enough.
>> Certificates used in SSL connections are handled just like files, so
>> if one of the certificates is encountered after loading the data, it
>> should trigger a notification.
>> You just have to reformat the list for the intel framework.
>> On 15 Jul 2014, at 9:40, James Lay wrote:
>>> Wonder if bro can support this?
> Thank you Johanna...I will go down that path.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro