[Bro] Multiple Intel framework hits for same connection?
lists at g-clef.net
Tue Sep 30 13:39:47 PDT 2014
I've done some more digging on this, and I'm a bit more confused than
when I started (not the first time that's been true). I have put a cert
for a server I control into the intel framework with a line like this:
blacklist_test https://testingurl/ T -
Bro's intel framework never fires for connections to the host with this
cert. I do see the cert's hash in files.log, so it is being passed over
the wire past bro. If I add the host's IP to the intel file, the intel
framework generates notices properly, so I know the intel framework is
loaded & generally working.
The thing that confuses me is that when I look at the scripts in
policy/frameworks/intel/seen, I can see scripts that will generate
source information for every Intel type *except* for Intel::USER_NAME
and Intel::CERT_HASH. Am I barking up a wrong tree here, or did those
two not get implemented in the intel framework scripts?
If they did get implemented, then I'm not sure what I'm doing wrong...I
just can't get bro to fire for SSL cert hashes. I'm running bro 2.3.1
(just updated today), if that makes any difference.
On 09/19/2014 04:15 PM, Seth Hall wrote:
> On Sep 19, 2014, at 3:57 PM, Aaron Gee-Clough <lists at g-clef.net> wrote:
>> I have a question about the intel framework: if a flow matches both an
>> Intel::ADDR and Intel::CERT_HASH (for example), will the intel framework
>> generate notice logs for both matches, or just one?
> It should definitely match both. That's a problem if it's not.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
More information about the Bro