[Bro] SSLBL
Johanna Amann
johanna at icir.org
Tue Jul 15 09:55:34 PDT 2014
Hello James,
using blacklists like this is actually quite easy nowadays. Just loading
the list of blacklisted SHA-1 hashes into the intel framework and making
sure that policy/frameworks/intel/seen/file-hashes.bro is loaded should
be enough.
Certificates used in SSL connections are handled just like files, so if
one of the certificates is encountered after loading the data, it should
trigger a notification.
You just have to reformat the list for the intel framework.
Johanna
On 15 Jul 2014, at 9:40, James Lay wrote:
> Interesting:
>
> https://sslbl.abuse.ch/blacklist/
>
> Wonder if bro can support this?
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list