[Bro] Adding trusted cert to Bro (Security Onion)

Scott Runnels srunnels at gmail.com
Wed Jan 9 09:39:00 PST 2013 

Hi Michael,

Were it me, I would place it in /opt/bro/share/bro/site/

then issue install and restart from within broctl.

v/r
Scott Runnels




On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower <mbower2 at gmail.com> wrote:

> ugh, sorry...it IS there.  I was in base.  So where do I add the cert?
> Dump it here? share/bro/base/protocols/ssl/
>
>
> On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels <srunnels at gmail.com> wrote:
>
>> Michael,
>>
>> In my recent (read: default) build for Security Onion, I have
>> validate-certs.bro.
>>
>> scott at SO-511:/opt/bro$ find . -iname "*validate*"
>> ./share/bro/policy/protocols/ssl/validate-certs.bro
>>
>> Do you not have the same?
>>
>> v/r
>> Scott
>>
>>
>>
>>
>> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower <mbower2 at gmail.com> wrote:
>>
>>> Im looking to add our internal domain CA to Bro so it can validate certs
>>> that are generated from the server.  I am new to Bro, so Im not sure where
>>> to start.
>>>
>>> I found this:
>>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html
>>>
>>> Which sounds like it is exactly what I need to do, Im just not sure how
>>> to go about it.
>>>
>>> My SO deployment is a distributed setup (1 Master, 2 sensors so far).
>>>  On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found
>>> the following:
>>>
>>> # This script enables SSL/TLS certificate validation.
>>> @load protocols/ssl/validate-certs
>>>
>>> Checking the protocols/ssl directory, I don't see that script.  My
>>> question is, will it get loaded if I created the validate-certs script its
>>> looking for?
>>>
>>> Any help will be appreciated.
>>>
>>> Thanks!
>>>
>>> --
>>>
>>> Mike
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>>
>> --
>> Scott Runnels
>>
>>
>
>
> --
>
> Mike
>



-- 
Scott Runnels
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/2cf95a87/attachment.html

More information about the Bro mailing list