[Bro] SSLBL
Johanna Amann
johanna at icir.org
Wed Jul 30 15:21:43 PDT 2014
...and the same in perl:
https://github.com/0xxon/bro-utils/blob/master/convert-blacklist.pl
I sent that to James a while ago but forgot to CC the list.
Johanna
On 30 Jul 2014, at 15:08, Anthony VEREZ wrote:
> Hi,
>
> I created a python script to parse get the latest version of a
> blacklist
> and convert it to the bro intel framework format:
> https://gist.github.com/netantho/b4f5a3df008184119695#file-gistfile1-py
>
> Thanks James and Johanna for the idea :)
>
> Anthony
>
> On 7/15/14, 9:59 AM, James Lay wrote:
>> On 2014-07-15 10:55, Johanna Amann wrote:
>>> Hello James,
>>>
>>> using blacklists like this is actually quite easy nowadays. Just
>>> loading the list of blacklisted SHA-1 hashes into the intel
>>> framework
>>> and making sure that policy/frameworks/intel/seen/file-hashes.bro is
>>> loaded should be enough.
>>>
>>> Certificates used in SSL connections are handled just like files, so
>>> if one of the certificates is encountered after loading the data, it
>>> should trigger a notification.
>>>
>>> You just have to reformat the list for the intel framework.
>>>
>>> Johanna
>>>
>>> On 15 Jul 2014, at 9:40, James Lay wrote:
>>>
>>>> Interesting:
>>>>
>>>> https://sslbl.abuse.ch/blacklist/
>>>>
>>>> Wonder if bro can support this?
>>>>
>>>> James
>>
>> Thank you Johanna...I will go down that path.
>>
>> James
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list