[Bro] SSLBL
Anthony VEREZ
netantho at gmail.com
Wed Jul 30 15:08:19 PDT 2014
Hi,
I created a python script to parse get the latest version of a blacklist
and convert it to the bro intel framework format:
https://gist.github.com/netantho/b4f5a3df008184119695#file-gistfile1-py
Thanks James and Johanna for the idea :)
Anthony
On 7/15/14, 9:59 AM, James Lay wrote:
> On 2014-07-15 10:55, Johanna Amann wrote:
>> Hello James,
>>
>> using blacklists like this is actually quite easy nowadays. Just
>> loading the list of blacklisted SHA-1 hashes into the intel framework
>> and making sure that policy/frameworks/intel/seen/file-hashes.bro is
>> loaded should be enough.
>>
>> Certificates used in SSL connections are handled just like files, so
>> if one of the certificates is encountered after loading the data, it
>> should trigger a notification.
>>
>> You just have to reformat the list for the intel framework.
>>
>> Johanna
>>
>> On 15 Jul 2014, at 9:40, James Lay wrote:
>>
>>> Interesting:
>>>
>>> https://sslbl.abuse.ch/blacklist/
>>>
>>> Wonder if bro can support this?
>>>
>>> James
>
> Thank you Johanna...I will go down that path.
>
> James
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list