[Bro] Disable some type of "alerts" for internal servers
C.L. Martinez
carlopmart at gmail.com
Sun Mar 15 10:06:07 PDT 2015
On 03/13/2015 02:40 PM, Siwek, Jon wrote:
>
>> On Mar 13, 2015, at 6:46 AM, C.L. Martinez <carlopmart at gmail.com> wrote:
>>
>> Hi all,
>>
>> I am receiving a lot alerts like this:
>>
>> Bro SSL::Invalid_Server_Cert. 172.16.129.8 (Unknown):3040 ->
>> 172.17.0.130 (Unknown):1610
>>
>> which it is correct: we are using a lot of certs auto-signed in our
>> infrastructure.
>>
>> Is it possible to disable this type of alert for an IP or a group of IP's?
>
> A script like this may do what you want:
>
> const invalid_ssl_whitelist: set[addr] = {
> # Add IPs here
> } &redef;
>
> hook Notice::policy(n: Notice::Info)
> {
> if ( n$note == SSL::Invalid_Server_Cert &&
> n$conn$id$resp_h in invalid_ssl_whitelist )
> # Clear all actions for this notice.
> n$actions = Notice::ActionSet();
> }
>
> You can probably also add logic to filter only if the reason it’s invalid is due to self-signing (e.g. as opposed to expired) by inspecting n$msg.
>
> Some related docs to reference:
>
> https://www.bro.org/sphinx/frameworks/notice.html
>
> - Jon
>
Many thanks Jon,
But I am doing something wrong. When I launch "bro check", I receive
the following error:
bro scripts failed.
error in /data/config/etc/bro/policy/custom.bro, line 24: unknown
identifier SSL::Invalid_Server_Cert, at or near "SSL::Invalid_Server_Cert"
Actually:
# Disable SSL::Invalid_Server_Cert alert for internal hosts
const invalid_ssl_whitelist: set[addr] = {
10.19.0.12
} &redef;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSL::Invalid_Server_Cert &&
n$conn$id$resp_h in invalid_ssl_whitelist )
# Clear all actions for this notice.
n$actions = Notice::ActionSet();
}
# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
More information about the Bro
mailing list