[Bro] SSLBL
James Lay
jlay at slave-tothe-box.net
Tue Jul 15 09:59:52 PDT 2014
On 2014-07-15 10:55, Johanna Amann wrote:
> Hello James,
>
> using blacklists like this is actually quite easy nowadays. Just
> loading the list of blacklisted SHA-1 hashes into the intel framework
> and making sure that policy/frameworks/intel/seen/file-hashes.bro is
> loaded should be enough.
>
> Certificates used in SSL connections are handled just like files, so
> if one of the certificates is encountered after loading the data, it
> should trigger a notification.
>
> You just have to reformat the list for the intel framework.
>
> Johanna
>
> On 15 Jul 2014, at 9:40, James Lay wrote:
>
>> Interesting:
>>
>> https://sslbl.abuse.ch/blacklist/
>>
>> Wonder if bro can support this?
>>
>> James
Thank you Johanna...I will go down that path.
James
More information about the Bro
mailing list