[Bro] Disable some type of "alerts" for internal servers

Siwek, Jon jsiwek at illinois.edu
Fri Mar 13 07:40:50 PDT 2015

> On Mar 13, 2015, at 6:46 AM, C.L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
>  I am receiving a lot alerts like this:
>  Bro SSL::Invalid_Server_Cert. (Unknown):3040 -> 
> (Unknown):1610
>  which it is correct: we are using a lot of certs auto-signed in our 
> infrastructure.
>  Is it possible to disable this type of alert for an IP or a group of IP's?

A script like this may do what you want:

const invalid_ssl_whitelist: set[addr] = { 
    # Add IPs here
} &redef;

hook Notice::policy(n: Notice::Info)
    if ( n$note == SSL::Invalid_Server_Cert && 
         n$conn$id$resp_h in invalid_ssl_whitelist )
        # Clear all actions for this notice.
        n$actions = Notice::ActionSet();

You can probably also add logic to filter only if the reason it’s invalid is due to self-signing (e.g. as opposed to expired) by inspecting n$msg.

Some related docs to reference:


- Jon

More information about the Bro mailing list