[Bro] Disable some type of "alerts" for internal servers

Siwek, Jon jsiwek at illinois.edu
Fri Mar 13 07:40:50 PDT 2015


> On Mar 13, 2015, at 6:46 AM, C.L. Martinez <carlopmart at gmail.com> wrote:
> 
> Hi all,
> 
>  I am receiving a lot alerts like this:
> 
>  Bro SSL::Invalid_Server_Cert. 172.16.129.8 (Unknown):3040 -> 
> 172.17.0.130 (Unknown):1610
> 
>  which it is correct: we are using a lot of certs auto-signed in our 
> infrastructure.
> 
>  Is it possible to disable this type of alert for an IP or a group of IP's?

A script like this may do what you want:

const invalid_ssl_whitelist: set[addr] = { 
    # Add IPs here
} &redef;

hook Notice::policy(n: Notice::Info)
    {
    if ( n$note == SSL::Invalid_Server_Cert && 
         n$conn$id$resp_h in invalid_ssl_whitelist )
        # Clear all actions for this notice.
        n$actions = Notice::ActionSet();
    }

You can probably also add logic to filter only if the reason it’s invalid is due to self-signing (e.g. as opposed to expired) by inspecting n$msg.

Some related docs to reference:

https://www.bro.org/sphinx/frameworks/notice.html

- Jon



More information about the Bro mailing list