[Bro] Trying to get a simple detection on certificate hashes to fire

Mike Eriksson mike at swedishmike.org
Thu Mar 1 06:02:49 PST 2018


Many thanks for that - looking in all the wrong places for the right things
as usual. ;)

Cheers, Mike

On Thu, Mar 1, 2018 at 1:48 PM Azoff, Justin S <jazoff at illinois.edu> wrote:

> > On Mar 1, 2018, at 6:08 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> >
> > The hashes I'm using are taken from my x509.log - just to make sure that
> I tested against something that comes up quite a lot in our environment.
> I've been using data from the field 'serial' - since there is no actual
> field called 'hash' in either x509.log or known_certs.
> >
> > Have I been using the wrong identifier or is there some 'hash all certs'
> setting somewhere that I've missed?
> Ah.. that is where you went wrong..  The hashes for certs end up in
> files.log (with all other files).
> It could make sense for it to be in the x509 or known certs log. I know
> there was some talk about re-doing that log file to be more useful and less
> verbose.
> In any case, if you have a cert of interest in the x509.log, you can use
> the 'id' column to find the corresponding file record in the files.log
> The files.log has the sha1 column which is the hash you would add to the
> intel file.
> If you wanted to see how it is implemented,
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/x509.bro
> is what produces all the intel data from certs.
>> Justin Azoff
> --

website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180301/79de2ac4/attachment-0001.html 

More information about the Bro mailing list